Investigating Users' Understanding of Privacy Policies of Virtual Personal Assistant Applications

Baiqi Chen; Tingmin Wu; Yanjun Zhang; Mohan Baruwal Chhetri; Guangdong Bai

doi:10.1145/3579856.3590335

Investigating Users' Understanding of Privacy Policies of Virtual Personal Assistant Applications

Baiqi Chen
, Tingmin Wu
, Yanjun Zhang
, Mohan Baruwal Chhetri
, Guangdong Bai

Research output: Chapters, Conference Papers, Creative and Literary Works › RGC 32 - Refereed conference paper (with host publication) › peer-review

7 Citations (Scopus)

Abstract

The increasingly popular virtual personal assistant (VPA) services, e.g., Amazon Alexa and Google Assistant, enable third-party developers to create and release VPA apps for end users to access through smart speakers. Given that VPA apps handle sensitive personal data, VPA service providers require developers to release a privacy policy document to declare their data handling practice. The privacy policies are regarded as legal or semi-legal documents, which are usually lengthy and complex for users to understand. In this work, we conducted a subjective study to investigate the level of users' understanding of the privacy policies, targeting the VPA apps (i.e., skills) of Amazon Alexa, the most popular VPA service. Our study focused on technical terms, one of the greatest hurdles to users' understanding. We found that 84.2% of our participants faced difficulty in understanding technical terms appeared in the skills' privacy policies, even for participants with IT background. Additionally, 64.3% of them reported that explanations for the technical terms are generally lacking. To address this issue, we proposed two principles, i.e., domain-specificity principle and implication-oriented principle, to guide skill developers in creating easy-to-understand privacy policies. We evaluated their effectiveness by creating explanation sentences for 23 representative terms and examining users' understanding through a second user study. Our results show that using explanation sentences based on these principles can significantly improve users' understanding.

© 2023 Copyright held by the owner/author(s). Publication rights licensed to ACM.

Original language	English
Title of host publication	ASIA CCS '23
Subtitle of host publication	Proceedings of the 2023 ACM Asia Conference on Computer and Communications Security
Publisher	Association for Computing Machinery
Pages	65-79
Number of pages	16
ISBN (Print)	979-8-4007-0098-9
DOIs	https://doi.org/10.1145/3579856.3590335
Publication status	Published - Jul 2023
Externally published	Yes
Event	18th ACM ASIA Conference on Computer and Communications Security (ASIA CCS 2023) - Melbourne, Australia Duration: 10 Jul 2023 → 14 Jul 2023 https://asiaccs2023.org/

Publication series

Name	Proceedings of the ACM Conference on Computer and Communications Security
ISSN (Print)	1543-7221

Conference

Conference	18th ACM ASIA Conference on Computer and Communications Security (ASIA CCS 2023)
Abbreviated title	ACM ASIACCS 2023
Place	Australia
City	Melbourne
Period	10/07/23 → 14/07/23
Internet address	https://asiaccs2023.org/

Funding

Baiqi Chen is supported by the University of Queensland and CSIRO’s Data61 PhD scholarship. This work is supported in part by UQ Cyber Research Seed Funding.

Research Keywords

Privacy compliance
privacy policy
user study

Access Output

10.1145/3579856.3590335

Other Access Options

Check CityUHK Library

Permanent Link

Right click to copy link

Cite this

Chen, B., Wu, T., Zhang, Y., Chhetri, M. B., & Bai, G. (2023). Investigating Users' Understanding of Privacy Policies of Virtual Personal Assistant Applications. In ASIA CCS '23: Proceedings of the 2023 ACM Asia Conference on Computer and Communications Security (pp. 65-79). (Proceedings of the ACM Conference on Computer and Communications Security). Association for Computing Machinery. https://doi.org/10.1145/3579856.3590335

Chen, Baiqi ; Wu, Tingmin ; Zhang, Yanjun et al. / Investigating Users' Understanding of Privacy Policies of Virtual Personal Assistant Applications. ASIA CCS '23: Proceedings of the 2023 ACM Asia Conference on Computer and Communications Security. Association for Computing Machinery, 2023. pp. 65-79 (Proceedings of the ACM Conference on Computer and Communications Security).

@inproceedings{d5c678b0be6947b89669a65bbdc9891a,

title = "Investigating Users' Understanding of Privacy Policies of Virtual Personal Assistant Applications",

abstract = "The increasingly popular virtual personal assistant (VPA) services, e.g., Amazon Alexa and Google Assistant, enable third-party developers to create and release VPA apps for end users to access through smart speakers. Given that VPA apps handle sensitive personal data, VPA service providers require developers to release a privacy policy document to declare their data handling practice. The privacy policies are regarded as legal or semi-legal documents, which are usually lengthy and complex for users to understand. In this work, we conducted a subjective study to investigate the level of users' understanding of the privacy policies, targeting the VPA apps (i.e., skills) of Amazon Alexa, the most popular VPA service. Our study focused on technical terms, one of the greatest hurdles to users' understanding. We found that 84.2\% of our participants faced difficulty in understanding technical terms appeared in the skills' privacy policies, even for participants with IT background. Additionally, 64.3\% of them reported that explanations for the technical terms are generally lacking. To address this issue, we proposed two principles, i.e., domain-specificity principle and implication-oriented principle, to guide skill developers in creating easy-to-understand privacy policies. We evaluated their effectiveness by creating explanation sentences for 23 representative terms and examining users' understanding through a second user study. Our results show that using explanation sentences based on these principles can significantly improve users' understanding. {\textcopyright} 2023 Copyright held by the owner/author(s). Publication rights licensed to ACM.",

keywords = "Privacy compliance, privacy policy, user study",

author = "Baiqi Chen and Tingmin Wu and Yanjun Zhang and Chhetri, \{Mohan Baruwal\} and Guangdong Bai",

year = "2023",

month = jul,

doi = "10.1145/3579856.3590335",

language = "English",

isbn = "979-8-4007-0098-9",

series = "Proceedings of the ACM Conference on Computer and Communications Security",

publisher = "Association for Computing Machinery",

pages = "65--79",

booktitle = "ASIA CCS '23",

address = "United States",

note = "18th ACM ASIA Conference on Computer and Communications Security (ASIA CCS 2023), ACM ASIACCS 2023 ; Conference date: 10-07-2023 Through 14-07-2023",

url = "https://asiaccs2023.org/",

}

Chen, B, Wu, T, Zhang, Y, Chhetri, MB & Bai, G 2023, Investigating Users' Understanding of Privacy Policies of Virtual Personal Assistant Applications. in ASIA CCS '23: Proceedings of the 2023 ACM Asia Conference on Computer and Communications Security. Proceedings of the ACM Conference on Computer and Communications Security, Association for Computing Machinery, pp. 65-79, 18th ACM ASIA Conference on Computer and Communications Security (ASIA CCS 2023), Melbourne, Australia, 10/07/23. https://doi.org/10.1145/3579856.3590335

Investigating Users' Understanding of Privacy Policies of Virtual Personal Assistant Applications. / Chen, Baiqi; Wu, Tingmin; Zhang, Yanjun et al.
ASIA CCS '23: Proceedings of the 2023 ACM Asia Conference on Computer and Communications Security. Association for Computing Machinery, 2023. p. 65-79 (Proceedings of the ACM Conference on Computer and Communications Security).

Research output: Chapters, Conference Papers, Creative and Literary Works › RGC 32 - Refereed conference paper (with host publication) › peer-review

TY - GEN

T1 - Investigating Users' Understanding of Privacy Policies of Virtual Personal Assistant Applications

AU - Chen, Baiqi

AU - Wu, Tingmin

AU - Zhang, Yanjun

AU - Chhetri, Mohan Baruwal

AU - Bai, Guangdong

PY - 2023/7

Y1 - 2023/7

N2 - The increasingly popular virtual personal assistant (VPA) services, e.g., Amazon Alexa and Google Assistant, enable third-party developers to create and release VPA apps for end users to access through smart speakers. Given that VPA apps handle sensitive personal data, VPA service providers require developers to release a privacy policy document to declare their data handling practice. The privacy policies are regarded as legal or semi-legal documents, which are usually lengthy and complex for users to understand. In this work, we conducted a subjective study to investigate the level of users' understanding of the privacy policies, targeting the VPA apps (i.e., skills) of Amazon Alexa, the most popular VPA service. Our study focused on technical terms, one of the greatest hurdles to users' understanding. We found that 84.2% of our participants faced difficulty in understanding technical terms appeared in the skills' privacy policies, even for participants with IT background. Additionally, 64.3% of them reported that explanations for the technical terms are generally lacking. To address this issue, we proposed two principles, i.e., domain-specificity principle and implication-oriented principle, to guide skill developers in creating easy-to-understand privacy policies. We evaluated their effectiveness by creating explanation sentences for 23 representative terms and examining users' understanding through a second user study. Our results show that using explanation sentences based on these principles can significantly improve users' understanding. © 2023 Copyright held by the owner/author(s). Publication rights licensed to ACM.

AB - The increasingly popular virtual personal assistant (VPA) services, e.g., Amazon Alexa and Google Assistant, enable third-party developers to create and release VPA apps for end users to access through smart speakers. Given that VPA apps handle sensitive personal data, VPA service providers require developers to release a privacy policy document to declare their data handling practice. The privacy policies are regarded as legal or semi-legal documents, which are usually lengthy and complex for users to understand. In this work, we conducted a subjective study to investigate the level of users' understanding of the privacy policies, targeting the VPA apps (i.e., skills) of Amazon Alexa, the most popular VPA service. Our study focused on technical terms, one of the greatest hurdles to users' understanding. We found that 84.2% of our participants faced difficulty in understanding technical terms appeared in the skills' privacy policies, even for participants with IT background. Additionally, 64.3% of them reported that explanations for the technical terms are generally lacking. To address this issue, we proposed two principles, i.e., domain-specificity principle and implication-oriented principle, to guide skill developers in creating easy-to-understand privacy policies. We evaluated their effectiveness by creating explanation sentences for 23 representative terms and examining users' understanding through a second user study. Our results show that using explanation sentences based on these principles can significantly improve users' understanding. © 2023 Copyright held by the owner/author(s). Publication rights licensed to ACM.

KW - Privacy compliance

KW - privacy policy

KW - user study

UR - https://www.scopus.com/pages/publications/85168110360

UR - https://www.scopus.com/record/pubmetrics.uri?eid=2-s2.0-85168110360&origin=recordpage

U2 - 10.1145/3579856.3590335

DO - 10.1145/3579856.3590335

M3 - RGC 32 - Refereed conference paper (with host publication)

SN - 979-8-4007-0098-9

T3 - Proceedings of the ACM Conference on Computer and Communications Security

SP - 65

EP - 79

BT - ASIA CCS '23

PB - Association for Computing Machinery

T2 - 18th ACM ASIA Conference on Computer and Communications Security (ASIA CCS 2023)

Y2 - 10 July 2023 through 14 July 2023

ER -

Chen B, Wu T, Zhang Y, Chhetri MB, Bai G. Investigating Users' Understanding of Privacy Policies of Virtual Personal Assistant Applications. In ASIA CCS '23: Proceedings of the 2023 ACM Asia Conference on Computer and Communications Security. Association for Computing Machinery. 2023. p. 65-79. (Proceedings of the ACM Conference on Computer and Communications Security). Epub 2023 Jul 10. doi: 10.1145/3579856.3590335

Investigating Users' Understanding of Privacy Policies of Virtual Personal Assistant Applications

Abstract

Publication series

Conference

Funding

Research Keywords

Access Output

Other Access Options

Permanent Link

Other Files and Links

Fingerprint

Cite this