Smartphones and privacy: David Lie and Lisa Austin on why we give access to apps

By Matthew Tierney

The screen of a smartphone displays a grid of icons for different apps, including instagram, twitter, facebook and whatsapp.

(Photo Illustration by Rafael Henrique/SOPA Images/LightRocket via Getty Images)

If you hesitate when an app on your phone asks to access your location you’re not alone.

That’s according to a new study from University of Toronto researchers that was conducted in four languages and across five continents.

In a paper presented at Usenix Security’s Symposium last week, U of T researchers examined why users choose to grant or deny permission when apps request access to contacts, calendars, microphones and more. The iPhone and Android operating systems give users control over data access when installing an app and during the app’s operation – a process known as a “runtime permission request.”

David Lie (BASc 1998), a professor in the Edward S. Rogers Sr. department electrical and computer engineering (ECE) in the Faculty of Applied Science & Engineering, says that when the team initially set out to determine which factors influence behaviour, they had no idea user expectations would be so significant.

An unexpected request is more than twice as likely to be denied

“An unexpected request is more than twice as likely to be denied,” Lie says. “Also, if there is some explanation for it – if the app conveys to the user why it needs access to something – then we see the denial rate cut in half.

“App developers and smartphone OS designers should give serious consideration to how they communicate and set expectations with their users, which is more important than previously thought.”

The multidisciplinary team of researchers included Lisa Austin (MA 1995, LLB 1998, PhD 2005), a cross-appointed ECE professor who is also chair in law and technology in the Faculty of Law. Both Austin and Li are also affiliated with the Schwartz Reisman Institute for Technology and Society.

In a picture taken before the COVID-19 pandemic, Lisa Austin and Davie Lie stand together in a hallway. — Professors Lisa Austin and David Lie, pictured here prior to the COVID-19 pandemic, are part of a multidisciplinary team behind a new global study that explores the privacy expectations and behaviour of smartphone users (photo by Jessica MacInnis)

To gather data for the study, the team developed an Android app, named PrivaDroid, that runs in the background of each participant’s phone for 30 days. After each new app installation or runtime permission request, PrivaDroid asks participants whether they expected the request and their rationale behind either granting or denying it.

Using online advertising, they recruited more than 1,700 participants from a variety of countries with contrasting privacy legislation and levels of economic development. Over several months ending in the spring of 2020, PrivaDroid observed more than 36,000 permission events.

This was first time someone has been able to do a global smartphone study ‘in the wild’

“Previous studies were constrained to more artificial environments, where participants come into a lab or are set up with phone that’s not their own device,” says Lie. “This was first time someone has been able to do a global smartphone study ‘in the wild.’”

Past research has shown that factors such as age, gender, country of residence and level of education can influence privacy behaviour.

“Our study confirms this,” says Lie. “For example, women are more cautious about granting permissions than men, and young people grant permissions more often than older ones – but not as much as you might think.”

Another finding was that participants who were rated ‘privacy sensitive’ according to the international Internet Users’ Information Privacy Concerns privacy scale have highly variable deny rates – and nearly 30 per cent of them grant permissions more frequently than average.

“This gap between stated behaviour and actual behaviour is known as the ‘privacy paradox,’” says Lie. “This gap would make sense with behaviour one wouldn’t be proud of, but it’s hard to see how that applies with privacy. It’s a puzzle.”

This gap between stated behaviour and actual behaviour is known as the ‘privacy paradox'

Are these people paying lip service to privacy concerns and then prioritizing their own convenience in the moment? The study reveals that this apparent contradictory behaviour is more nuanced.

“The privacy-sensitive group who granted a lot of permissions said they expected them,” says Lie. “It’s possible they have a better understanding of how and why applications use permissions – that they’re avoiding the ‘creepy’ apps and installing the more transparent ones.”

“So many complex technical and geopolitical issues converge around privacy,” says Professor Deepa Kundur (BASc 1993, MASc 1995, PhD 1999), chair of ECE. “They truly demand a multidisciplinary approach and a long runway. This smartphone privacy study may be a first in its size, scope and complexity, but hopefully it’s the first of many.”

Though prudence might suggest people deny permissions, “that belies how they actually use their phones,” says Lie. “If you really didn’t want what the app provided, or you thought the developer was malicious, you’d just uninstall the app. Smartphone users are telling us that clearly communicating expectations builds trust, and trust plays an important role in granting permissions.”