Get 20M+ Full-Text Papers For Less Than $1.50/day. Start a 14-Day Trial for You or Your Team.

Learn More →

The Curious Case of the PDF Converter that Likes Mozart: Dissecting and Mitigating the Privacy Risk of Personal Cloud Apps

The Curious Case of the PDF Converter that Likes Mozart: Dissecting and Mitigating the Privacy... Abstract Third party apps that work on top of personal cloud services, such as Google Drive and Drop-box, require access to the user’s data in order to provide some functionality. Through detailed analysis of a hundred popular Google Drive apps from Google’s Chrome store, we discover that the existing permission model is quite often misused: around two-thirds of analyzed apps are over-privileged, i.e., they access more data than is needed for them to function. In this work, we analyze three different permission models that aim to discourage users from installing over-privileged apps. In experiments with 210 real users, we discover that the most successful permission model is our novel ensemble method that we call Far-reaching Insights. Far-reaching Insights inform the users about the data-driven insights that apps can make about them (e.g., their topics of interest, collaboration and activity patterns etc.) Thus, they seek to bridge the gap between what third parties can actually know about users and users’ perception of their privacy leakage. The efficacy of Far-reaching Insights in bridging this gap is demonstrated by our results, as Far-reaching Insights prove to be, on average, twice as effective as the current model in discouraging users from installing over-privileged apps. In an effort to promote general privacy awareness, we deployed PrivySeal, a publicly available privacy-focused app store that uses Far-reaching Insights. Based on the knowledge extracted from data of the store’s users (over 115 gigabytes of Google Drive data from 1440 users with 662 installed apps), we also delineate the ecosystem for 3rd party cloud apps from the standpoint of developers and cloud providers. Finally, we present several general recommendations that can guide other future works in the area of privacy for the cloud. To the best of our knowledge, ours is the first work that tackles the privacy risk posed by 3rd party apps on cloud platforms in such depth. http://www.deepdyve.com/assets/images/DeepDyve-Logo-lg.png Proceedings on Privacy Enhancing Technologies de Gruyter

The Curious Case of the PDF Converter that Likes Mozart: Dissecting and Mitigating the Privacy Risk of Personal Cloud Apps

Download PDF
21 pages

Loading next page...
 
/lp/de-gruyter/the-curious-case-of-the-pdf-converter-that-likes-mozart-dissecting-and-QkHs0yUedO
Publisher
de Gruyter
Copyright
Copyright © 2016 by the
ISSN
2299-0984
eISSN
2299-0984
DOI
10.1515/popets-2016-0032
Publisher site
See Article on Publisher Site

Abstract

Abstract Third party apps that work on top of personal cloud services, such as Google Drive and Drop-box, require access to the user’s data in order to provide some functionality. Through detailed analysis of a hundred popular Google Drive apps from Google’s Chrome store, we discover that the existing permission model is quite often misused: around two-thirds of analyzed apps are over-privileged, i.e., they access more data than is needed for them to function. In this work, we analyze three different permission models that aim to discourage users from installing over-privileged apps. In experiments with 210 real users, we discover that the most successful permission model is our novel ensemble method that we call Far-reaching Insights. Far-reaching Insights inform the users about the data-driven insights that apps can make about them (e.g., their topics of interest, collaboration and activity patterns etc.) Thus, they seek to bridge the gap between what third parties can actually know about users and users’ perception of their privacy leakage. The efficacy of Far-reaching Insights in bridging this gap is demonstrated by our results, as Far-reaching Insights prove to be, on average, twice as effective as the current model in discouraging users from installing over-privileged apps. In an effort to promote general privacy awareness, we deployed PrivySeal, a publicly available privacy-focused app store that uses Far-reaching Insights. Based on the knowledge extracted from data of the store’s users (over 115 gigabytes of Google Drive data from 1440 users with 662 installed apps), we also delineate the ecosystem for 3rd party cloud apps from the standpoint of developers and cloud providers. Finally, we present several general recommendations that can guide other future works in the area of privacy for the cloud. To the best of our knowledge, ours is the first work that tackles the privacy risk posed by 3rd party apps on cloud platforms in such depth.

Journal

Proceedings on Privacy Enhancing Technologiesde Gruyter

Published: Oct 1, 2016

References

  • Simultaneous inference in general parametric models vol no pp
    Hothorn
  • privacy paradox Social networking in the united states First vol no
    Barnes
  • design space for effective privacy notices in Proceedings of the Eleventh Symposium on Usable Privacy and
    Schaub
  • How polymorphic warnings reduce habituation in the Insights from an fmri study in Proceedings of the rd Annual ACM Conference on Human Factors in Computing Systems ser CHI New pp
    Anderson
  • Privacy nudges for social media : An exploratory facebook study in Proceedings of the Nd International Conference on ser WWW Companion Republic of Switzerland Web Conferences Steering Committee pp
    Wang
  • Privacy as part of the app decision - making process in Proceedings of the SIGCHI Conference on Human Factors in Computing Systems ser CHI New York pp
    Kelley
  • Is this app safe large scale study on application permissions and risk signals in Proceedings of the st International Conference on World Wide ser WWW New York pp
    Chia
  • The effectiveness of application permissions in Proceedings of the Conference on Web Application Development ser CA pp
    Felt
  • Open source biometric recognition in Theory Applications and Systems Sixth International Conference on Sept
    Klontz
  • crowdsourced cloud privacy in
    Harkous
  • Using personal examples to improve risk communication for security & privacy decisions in Proceedings of the ACM Conference on Human Factors in Computing Systems ser CHI New York pp
    Harbach
  • Imagenet classification with deep convolutional neural networks in Advances in neural information processing systems
    Krizhevsky
  • Large - scale evaluation of social networking apps in Proceedings of the First ACM Conference on Online Social Networks ser New York pp
    Huber
  • Inverse privacy revised
    Gurevich
  • Privacy as part of the app decision - making process in Proceedings of the SIGCHI Conference on Human Factors in Computing Systems ser CHI New York pp
    Kelley
  • rank - order distance based clustering algorithm for face tagging in Proceedings of the Conference on Computer Vision and ser pp
    Zhu
  • Is this app safe large scale study on application permissions and risk signals in Proceedings of the st International Conference on World Wide ser WWW New York pp
    Chia
  • rank - order distance based clustering algorithm for face tagging in Proceedings of the Conference on Computer Vision and ser pp
    Zhu
  • architecture for fast feature embedding arXiv preprint arXiv
    Jia
  • Towards automating risk assessment of mobile applications in Proceedings of the Conference on Security ser SEC CA pp
    Pandita
  • Privacy nudges for social media : An exploratory facebook study in Proceedings of the Nd International Conference on ser WWW Companion Republic of Switzerland Web Conferences Steering Committee pp
    Wang
  • Optics Ordering points to identify the clustering structure in Proceedings of the International Conference on Management of Data ser New York pp
    Ankerst
  • Inverse privacy revised
    Gurevich
  • Simultaneous inference in general parametric models vol no pp
    Hothorn
  • The effectiveness of application permissions in Proceedings of the Conference on Web Application Development ser CA pp
    Felt
  • Fitting linear mixed - effects models using lme of vol no pp
    Bates
  • Mining multi label data in and Handbook US
    Tsoumakas
  • crowdsourced cloud privacy in
    Harkous
  • Optics Ordering points to identify the clustering structure in Proceedings of the International Conference on Management of Data ser New York pp
    Ankerst
  • design space for effective privacy notices in Proceedings of the Eleventh Symposium on Usable Privacy and
    Schaub
  • Large - scale evaluation of social networking apps in Proceedings of the First ACM Conference on Online Social Networks ser New York pp
    Huber
  • Mining multi label data in and Handbook US
    Tsoumakas
  • Personalization of warning signs : The role of perceived relevance on behavioral compliance vol no pp
    Wogalter
  • privacy paradox Social networking in the united states First vol no
    Barnes
  • Personalization of warning signs : The role of perceived relevance on behavioral compliance vol no pp
    Wogalter
  • architecture for fast feature embedding arXiv preprint arXiv
    Jia
  • How polymorphic warnings reduce habituation in the Insights from an fmri study in Proceedings of the rd Annual ACM Conference on Human Factors in Computing Systems ser CHI New pp
    Anderson
  • Open source biometric recognition in Theory Applications and Systems Sixth International Conference on Sept
    Klontz
  • Fitting linear mixed - effects models using lme of vol no pp
    Bates
  • Towards automating risk assessment of mobile applications in Proceedings of the Conference on Security ser SEC CA pp
    Pandita
  • Using personal examples to improve risk communication for security & privacy decisions in Proceedings of the ACM Conference on Human Factors in Computing Systems ser CHI New York pp
    Harbach
  • Imagenet classification with deep convolutional neural networks in Advances in neural information processing systems
    Krizhevsky