Negotiating Mobile App Permissions

When people install an Android app on their smartphone, they are required to accept all permissions requested by the app in order to proceed with installation. That is, the consent mechanism of the app market limits the user to a binary decision: either take it, or leave it. However, there is often little to no information about the purpose for accessing this information, with apps often requesting permissions that have little to do with the app and are used only for advertising purposes [5]. For instance, an app might not need location data but might still require access in order to run (a common example [8] is Angry birds by Rovio). In previous research it was found that only 7% of apps presented a privacy policy within the app’s page [2]. These policies are often long, full of legal terminology, and are hard to read on a small screen. Furthermore, people are often unaware that apps may collect their personal data [3] due to the fact that the permission mechanisms are often difficult to understand [9] and that part of this collection happens silently in the background [6]. When users are made aware of this collection, they feel much less willing to share those data which they perceive be extremely sensitive [4, 9]. Some express shock and a desire to remove the app [7, 8] or experience a sense of “creepiness” that results in a loss of trust [11]. The perceived sensitivity of data is often personal and can also vary within the individual’s context [10, 12]. For example, a user might be willing to share when he or she is at a certain location or while engaging in a certain activity (e.g. relaxing), but not when performing another (e.g. working). It is impossible to consent to the collection of data for every foreseeable purpose, given the incomplete, missing or difficult to understand information [9] users receive when making the decision about whether to install an app. Another critical problem is posed by timing: a person is asked at the time of purchase to make potentially complex decisions about whether to allow access. This may be too cognitively complex in the context of undertaking a broader task, or in environments that place other demands on the person’s attention. To address each of these issues, we propose a design in which the user can negotiate the app’s permissions to access their personal data. For example, users who prefer not to view ads could opt to pay an additional fee for this, as is currently offered within certain apps such as “Cut the Rope”. However, negotiating with each app might be cumbersome and difficult to achieve by users. Hence, to make this process easier, we propose an approach that uses an agent-based framework that employs software agents to represent users in their privacy negotiation with the app in an automated manner [13, 14, 15]. Negotiation allows for every permission to be agreed upon separately, leading to a more finegrained solution that is acceptable, reasonable and meaningful for both parties [16]. This way, users are able to obtain a customized data contract that respects their privacy preferences, while app developers may get a sale from otherwise hesitant users, with an increase in trust, higher customer satisfaction, and consent that is more meaningful – and possibly at a higher revenue than expected. For granularity of context, the agent interaction enables both the developer and the purchaser to negotiate an acceptable deal for services that may include both context-sensitive data and price or no deal. For timing, the policy with which the agent engages an app can be set well in advance of any purchase, and refined with the user at appropriate and scheduled times for review not unlike reviewing insurance or bank statements. We see this approach as a win-win opportunity for both developers and purchasers as well as providing a new opportunity for app stores to act as a negotiation hub.