Nathaniel S. Good
Jens Grossklags
Joseph A. Konstan
ABSTRACT
Spyware is an increasing problem. Interestingly, many programs carrying spyware honestly disclose the activities of the software, but users install the software anyway. We report on a study of software installation to assess the effectiveness of different notices for helping people make better decisions on which software to install. Our study of 222 users showed that providing a short summary notice, in addition to the End User License Agreement (EULA), before the installation reduced the number of software installations significantly. We also found that providing the short summary notice after installation led to a significant number of uninstalls. However, even with the short notices, many users installed the program and later expressed regret for doing so. These results, along with a detailed analysis of installation, regret, and survey data about user behaviors informs our recommendations to policymakers and designers for assessing the "adequacy" of consent in the context of software that exhibits behaviors associated with spyware.
- Abrams, M., M. P. Eisenhauer, and L.J. Sotto Letter to Federal Trade Commission. March 29, 2004. Re: alternative forms of privacy notices, project no. P034815. Hunton & Williams: The Center for Information Policy Leadership.Google Scholar
- Acquisti, A., and J. Grossklags. 2005. Privacy and rationality in individual decision making. IEEE Security & Privacy 3(1): 26--33. Google ScholarDigital Library
- Anti Spyware Coalition, Anti Spyware Coalition Definitions and Supporting Documents, Working Report (June 29, 2006), available at http://www.antispywarecoalition.org/documents/documents/ASCDefinitionsWorkingReport20060622.pdfGoogle Scholar
- AOL and National Cyber Security Alliance. 2004. AOL/NCSA online safety study, (October). http://www.security.iia.net.au/downloads/safety_study_v04.pdfGoogle Scholar
- Bellia, P. L. Spyware and the Limits of Surveillance Law, 20 Berkeley Tech. L.J. 1283 (2005)Google Scholar
- Bellotti, V. and A. Sellen. 1993. Design for Privacy in Ubiquitous Computing Environments. In Proceedings of The Third European Conference on Computer Supported Cooperative Work (ECSCW'93). Milan, Italy: Kluwer Academic Publishers. Google ScholarDigital Library
- Blanke, J. M. "Robust Notice" and "informed Consent:" the Keys to Successful Spyware Legilsation, 7 Coum. Sci & Tech. L. Rev. 2 (2006).Google Scholar
- Buenaventura, M. A. Teaching a Man to Fish: Why National Legislation Anchored in Notice and Consent Provisions is the Most Effective Solution to the Spyware Problem, 13 Rich. J.L. & Tech. 1 (2006).Google Scholar
- Calinski, R.B. and Harabasz, J. 1974. "A Dendrite Method for Cluster Analysis," Comm. in Statistics, vol. 3, pp. 1--27.Google ScholarCross Ref
- Cranor, L.F., J. Reagle, and M. S. Ackerman.1999. Beyond concern: Understanding net users' attitudes about online privacy. In Ingo Vogelsang and Benjamin M. Compaine, eds. The Internet Upheaval: Raising Questions, Seeking Answers in Communications Policy. Cambridge, Massachusetts: The MIT Press, p. 47--70.Google ScholarCross Ref
- Cutrell, E., M. Czerwinski, and E. Horvitz. 2001. Notification, disruption, and memory: Effects of messaging interruptions on memory and performance. Proceedings of Interact 2001: IFIP Conference on Human-Computer Interaction, Tokyo, Japan. http://research.microsoft.com/~cutrell/interact2001messaging.pdf.Google Scholar
- Dhamija, R., Tygar, J. D., and Hearst, M. 2006. Why phishing works. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (Montréal, Québec, Canada, April 22-27, 2006). ACM Press, New York, NY, 581--590. Google ScholarDigital Library
- Earthlink. 2005. Earthlink spy audit: Results complied from Webroot's and Earthlink's Spy Audit programs, http://www.earthlink.net/spyaudit/press.Google Scholar
- Federal Trade Commission, Monitoring Software on Your PC: Spyware, Adware, and Other Software, http:www.ftc.gov/os/2005/03/050307spywarerpt.pdfGoogle Scholar
- Friedman, B., Howe, D., and Felten, E. 2002. Informed Consent in the Mozilla Browser: Implementing Value Sensitive Design. In Proceedings of the 35th Annual Hawaii international Conference on System Sciences (Hicss'02)-Volume 8 - Volume 8 (January 07-10, 2002). HICSS. IEEE Computer Society, Washington, DC, 247. Google ScholarDigital Library
- Goecks, J. and Mynatt., E.D. 2005. Supporting Privacy Management via Community Experience and Expertise, Proceedings of 2005 Conference on Communities and Technology, p. 397--418.Google ScholarCross Ref
- Good, N. S. and Krekelberg, A. 2003. Usability and privacy: a study of KaZaA P2P file-sharing. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (Ft. Lauderdale, Florida, USA, April 05-10, 2003). CHI '03. ACM Press, New York, NY, 137--144. Google ScholarDigital Library
- Good, N., Dhamija, R., Grossklags, J., Thaw, D., Aronowitz, S., Mulligan, D., and Konstan, J. 2005. Stopping spyware at the gate: a user study of privacy, notice and spyware. In Proceedings of the 2005 Symposium on Usable Privacy and Security (Pittsburgh, Pennsylvania, July 06-08, 2005). SOUPS '05, vol. 93. ACM Press, New York, NY, 43--52. Google ScholarDigital Library
- Hawkey, K. and Inkpen, K. M. 2006. Keeping up appearances: understanding the dimensions of incidental information privacy. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (Montréal, Québec, Canada, April 22-27, 2006). ACM Press, New York, NY. Google ScholarDigital Library
- Jensen, C., and C. Potts. 2004. Privacy policies as decision--making tools: An evaluation on online privacy notices. In CHI 2004 Connect: Conference Proceedings: April 24-29, Vienna Austria: Conference on Human Factors in Computing Systems 6(1): 471--78. New York: Association for Computing Machinery. Google ScholarDigital Library
- Karat, C., Karat, J., Brodie, C., and Feng, J. 2006. Evaluating interfaces for privacy policy rule authoring. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (Montréal, Québec, Canada, April 22-27, 2006). R. Grinter, T. Rodden, P. Aoki, E. Cutrell, R. Jeffries, and G. Olson, Eds. CHI '06. ACM Press, New York, NY, 83--92. Google ScholarDigital Library
- Norman, D. A. The Design of Everyday Things, 1988.Google Scholar
- Spiekermann, S., J. Grossklags, and B. Berendt. 2001. E-privacy in 2nd generation e-commerce: Privacy preferences versus actual behavior. In Proceedings of the Third ACM Conference on Electronic Commerce, Association for Computing Machinery (ACM EC'01), 38--47. New York: ACM Press. Google ScholarDigital Library
- Stiegler, M., Karp, A. H., Yee, K., Close, T., and Miller, M. S. 2006. Polaris: virus-safe computing for Windows XP. Commun. ACM 49, 9 (Sep. 2006), 83--88. Google ScholarDigital Library
- Trafton, J. G., E. M. Altmann, D. P. Brock, and F. E. Mintz. 2003. Preparing to resume an interrupted task: Effects of prospective goal encoding and retrospective rehearsal. International Journal of Human Computer Studies 58(4): 583--603. Google ScholarDigital Library
- Van Dantzich, M., R. Daniel, E. Horvitz, and M. Czerwinski. 2002. Scope: Providing awareness of multiple notifications at a glance. Proceedings of Advanced Visual Interfaces 2002, Trento, Italy. Google ScholarDigital Library
- Vila, T., R. Greenstadt, and D. Molnar. 2004. Why we can't be bothered to read privacy policies: Models of privacy economics as a lemons market. In Economics of Information Security. Vol 12 of Advances in Information Security, eds. L.J. Camp and S. Lewis, 143--154. Boston: Kluwer Academic Publishers.Google Scholar
- Wayne R. Barnes, Rethinking Spyware: Questioning the Propriety of Contractual Consent to Online Surveillance, 39 U.C. Davis L. Rev 1545 (2006).Google Scholar
- Winn, J. Contracting Spyware by Contract, 20 Berkeley Tech. L.J. 1345 (2005).Google Scholar
Index Terms
- Noticing notice: a large-scale experiment on the timing of software license agreements
Recommendations
Stopping spyware at the gate: a user study of privacy, notice and spyware
SOUPS '05: Proceedings of the 2005 symposium on Usable privacy and securitySpyware is a significant problem for most computer users. The term "spyware" loosely describes a new class of computer software. This type of software may track user activities online and offline, provide targeted advertising and/or engage in other ...
Empirical studies on software notices to inform policy makers and usability designers
FC'07/USEC'07: Proceedings of the 11th International Conference on Financial cryptography and 1st International conference on Usable SecurityWe evaluate the usability of End User License Agreements (EULAs) of popular consumer programs. Results from an empirical evaluation of 50 popular programs show the lack of accessibility and readability of notices. Our data from a recent study with 64 ...
Trust, privacy, and legal protection in the use of software with surreptitiously installed operations: An empirical evaluation
The class of software which is "surreptitiously installed on a user's computer and monitors a user's activity and reports back to a third party on that behavior" is referred to as spyware "(Stafford and Urbaczewski in Communications of the AIS 14:291---...
Comments