Abstract
Under certain circumstances, consumers are willing to pay a premium for privacy. We explore how choice architecture affects smartphone users’ stated willingness to install applications that request varying permissions. We performed two experiments to gauge smartphone users’ stated willingness to pay premiums to limit their personal information exposure when installing applications. When participants were comparison shopping between multiple applications that performed similar functionality, a quarter of our sample indicated a willingness to pay a $1.50 premium for the application that requested the fewest permissions—though only when viewing the requested permissions of each application side-by-side. In a second experiment, we more closely simulated the user experience by asking them to valuate a single application that featured multiple sets of permissions based on five between-subjects conditions. In this scenario, the requested permissions had a much smaller impact. Our results suggest that many smartphone users are concerned with their privacy and are willing to pay premiums for applications that are less likely to request access to personal information, but that the current choice architectures do not support this. We propose improvements for smartphone application markets that could result in decreased satisficing and increased rational behavior.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
The term “choice architecture” refers to the way in which options are presented to people, as these design decisions can have a profound impact on decision-making [34].
- 2.
We identified invalid results based on two factors. First, we included several questions that required free text responses, such as, “why or why not would you purchase this application.” Using these questions, we deleted surveys that contained nonsensical responses. Second, in addition to asking participants to select the application that they were most willing to purchase, we also asked them to select the application that they were least willing to purchase. We removed participants who gave the same answer to both questions.
- 3.
We did not show the permission request screen. To negate priming, all participants viewed the $1.99 version, which was associated with only the INTERNET permission in the previous tasks.
- 4.
This Android permission does not actually exist; no permission is needed to access stored photos.
- 5.
When we made the price “free,” skewness and kurtosis were 8.36 and 71.03, respectively (n = 159). Whereas when we set the price to “$0.99,” skewness and kurtosis were 1.72 and 5.74 (n = 163). This anchoring effect was statistically significant: U = 10078. 5, p < 0. 0005, μ free = $2. 94 (σ = 11. 09), μ $0. 99 = $1. 11 (σ = 0. 57).
- 6.
This corresponded to bids over $100 and suggested prices over $2.99. Prior to removing outliers, the skewness and kurtosis for the bids were 18.65 and 353.15, respectively. After removing outliers, they became 2.15 and 4.10. Regarding the suggested prices, the original skewness and kurtosis were 5.87 and 50.27, but were reduced to 0.63 and 1.79, after removing outliers.
References
Acquisti, A.: Privacy in electronic commerce and the economics of immediate gratification. In: Proceedings of the ACM Electronic Commerce Conference (EC ’04), New York. ACM, New York (2004)
Acquisti, A., Grossklags, J.: Privacy and rationality in individual decision making. IEEE Secur. Priv. 3(1), 26–33 (2005). http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=1392696
Acquisti, A., John, L., Loewenstein, G.: What is privacy worth? In: Twenty First Workshop on Information Systems and Economics (WISE), Phoenix (2009)
Agele, M., Kruegel, C., Kirda, E., Vigna, G.: Pios: detecting privacy leaks in iOS applications. In: Proceedings of the Network and Distributed System Security Symposium (NDSS), San Diego (2011)
Android Developers: Manifest.permission. http://developer.android.com/reference/android/Manifest.permission.html. Accessed 28 Dec 2011
Barkhuus, L.: Privacy in location-based services, concern vs. coolness. In: Workshop on Location System Privacy and Control at MobileHCI ’04, Glasgow (2004)
Barkhuus, L., Dey, A.: Location-based services for mobile telephony: a study of users’ privacy concerns. In: INTERACT’03, Zurich, pp. 702–712 (2003)
Beautement, A., Sasse, M.A., Wonham, M.: The compliance budget: managing security behaviour in organisations. In: Proceedings of the 2008 Workshop on New Security Paradigms, NSPW ’08, Lake Tahoe, pp. 47–58. ACM, New York (2008)
Böhme, R., Grossklags, J.: The security cost of cheap user interaction. In: Proceedings of the 2011 New Security Paradigms Workshop (NSPW), Marin County. ACM, New York (2011)
Chia, P.H., Yamamoto, Y., Asokan, N.: Is this App safe? A large scale study on application permissions and risk signals. In: World Wide Web Conference, Lyon (2012)
Consolvo, S., Smith, I.E., Matthews, T., LaMarca, A., Tabert, J., Powledge, P.: Location disclosure to social relations: why, when, & what people want to share. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI ’05, Portland. ACM, New York (2005)
Cvrcek, D., Kumpost, M., Matyas, V., Danezis, G.: A study on the value of location privacy. In: Proceedings of the 2006 Workshop on Privacy in an Electronic Society (WPES’06), Alexandria (2006)
Danezis, G., Lewis, S., Anderson, R.: How much is location privacy worth? In: Proceedings of the Workshop on the Economics of Information Security (WEIS 2005), Cambridge (2005)
Egelman, S., Tsai, J., Cranor, L.F., Acquisti, A.: Timing is everything? The effects of timing and placement of online privacy indicators. In: Proceedings of the 27th International Conference on Human Factors in Computing Systems, CHI ’09, Boston. ACM, New York (2009)
Enck, W., Ongtang, M., McDaniel, P.: On lightweight mobile phone application certification. In: Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS), Chicago. ACM, New York (2009)
Enck, W., Gilbert, P., Chun, B.G., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N.: Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In: Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation, OSDI’10, Vancouver. USENIX Association, Berkeley (2010)
Enck, W., Octeau, D., McDaniel, P., Chaudhuri, S.: A study of Android application security. In: Proceedings of the 20th USENIX Security Conference USENIX Association, Berkeley (2011)
Felt, A.P., Greenwood, K., Wagner, D.: The effectiveness of application permissions. In: Proceedings of the 2nd USENIX Conference on Web Application Development, WebApps’11, Portland, pp. 7–7. USENIX Association, Berkeley (2011)
Felt, A.P., Egelman, S., Wagner, D.: I’ve got 99 problems, but vibration ain’t one: a survey of smartphone users’ concerns. In: Proceedings of the ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM), Raleigh (2012)
Felt, A.P., Ha, E., Egelman, S., Haney, A., Chin, E., Wagner, D.: Android permissions: user attention, comprehension, and behavior. In: Proceedings of the 2012 Symposium on Usable Privacy and Security (SOUPS), Washington, DC (2012)
Gideon, J., Egelman, S., Cranor, L., Acquisti, A.: Power strips, prophylactics, and privacy, oh my! In: Proceedings of the 2006 Symposium on Usable Privacy and Security, Pittsburgh (2006)
Good, N., Dhamija, R., Grossklags, J., Aronovitz, S., Thaw, D., Mulligan, D., Konstan, J.: Stopping spyware at the gate: a user study of privacy, notice and spyware. In: Proceedings of the Symposium on Usable Privacy and Security (SOUPS 2005), Pittsburgh (2005)
Grossklags, J., Acquisti, A.: When 25 cents is too much: an experiment on willingness-to-sell and willingness-to-protect personal information. In: Proceedings (online) of the Sixth Workshop on Economics of Information Security (WEIS), Pittsburgh (2007)
Hornyack, P., Han, S., Jung, J., Schechter, S., Wetherall, D.: These aren’t the droids you’re looking for: retrofitting Android to protect data from imperious applications. In: Proceedings of the 18th ACM Conference on Computer and Communications Security (CCS), Chicago. ACM, New York (2011)
Huberman, B., Adar, E., Fine, L.: Valuating privacy. IEEE Secur. Priv. 3(5), 22–25 (2005)
Iachello, G., Smith, I., Consolvo, S., Chen, M., Abowd, G.D.: Developing privacy guidelines for social location disclosure applications and services. In: Proceedings of the 2005 Symposium on Usable Privacy and Security, SOUPS ’05, Pittsburgh, pp. 65–76. ACM, New York (2005)
Lederer, S., Mankoff, J., Dey, A.K.: Who wants to know what when? Privacy preference determinants in ubiquitous computing. In: CHI ’03 Extended Abstracts on Human Factors in Computing Systems, CHI EA ’03, Ft. Lauderdale, pp. 724–725. ACM, New York (2003)
McDonald, A.M., Cranor, L.F.: Beliefs and behaviors: internet users’ understanding of behavioral advertising. In: 38th Research Conference on Communication, Information and Internet Policy (Telecommunications Policy Research Conference), Arlington (2010)
Nauman, M., Khan, S., Zhang, X.: Apex: extending Android permission model and enforcement with user-defined runtime constraints. In: Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security (ASIACCS), Beijing. ACM, New York (2010)
Pearce, P., Felt, A.P., Nunez, G., Wagner, D.: Addroid: privilege separation for applications and advertisers in Android. In: Proceedings of the ACM Symposium on Information, Computer and Communications Security (ASIACCS), Seoul. ACM, New York (2012)
Purcell, K.: Half of adult cell phone owners have apps on their phones. Pew Internet & American Life Project. http://pewinternet.org/Reports/2011/Apps-update.aspx (2011)
Simonite, T.: Apple ignored warning on address-book access. Technology Review (MIT). http://www.technologyreview.com/communications/39746/ (2012)
Spiekermann, S., Grossklags, J., Berendt, B.: E-privacy in 2nd generation E-commerce: privacy preferences versus actual behavior. In: Proceedings of EC’01: Third ACM Conference on Electronic Commerce, Tampa, pp. 38–47 (2001)
Thaler, R., Sunstein, C.: Nudge: Improving Decisions About Health, Wealth, and Happiness. Yale University Press, New Haven/London (2008)
Tsai, J., Egelman, S., Cranor, L., Acquisti, A.: The effect of online privacy information on purchasing behavior: an experimental study. In: Proceedings of the 2007 Workshop on the Economics of Information Security (WEIS’07), Pittsburgh (2007)
Westin, A.F.: E-Commerce & Privacy: What Net Users Want. Privacy & American Business, Hackensack (1998)
Wiese, J., Kelley, P.G., Cranor, L.F., Dabbish, L., Hong, J.I., Zimmerman, J.: Are you close with me? Are you nearby? Investigating social groups, closeness, and willingness to share. In: Proceedings of the 13th International Conference on Ubiquitous Computing, UbiComp ’11, Beijing, pp. 197–206. ACM, New York (2011)
Zickuhr, K.: Generations and their gadgets. http://pewinternet.org/Reports/2011/Generations-and-gadgets/Report/Cell-phones.aspx (2011). Accessed 2 Oct 2012
Acknowledgements
The authors would like to thank Jaeyeon Jung and Stuart Schechter for their feedback. This work was supported by Intel, through the ISTC for Secure Computing. The co-author Adrienne Porter Felt was affiliated with the University of California, Berkeley, at the time of this work.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this chapter
Cite this chapter
Egelman, S., Felt, A.P., Wagner, D. (2013). Choice Architecture and Smartphone Privacy: There’s a Price for That. In: Böhme, R. (eds) The Economics of Information Security and Privacy. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-39498-0_10
Download citation
DOI: https://doi.org/10.1007/978-3-642-39498-0_10
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-39497-3
Online ISBN: 978-3-642-39498-0
eBook Packages: Computer ScienceComputer Science (R0)