In my senior year at Wellesley, I wrote an Honors Thesis (Proactive Protections for Smartphone Users’ Personal Data in the Mobile Ecosystem) under the advisement of Prof. Ada Lerner.

While the embargo expired in May 2022, it has not been published yet in the Wellesley repository and so I link unofficial copies and materials below.

Abstract

The lack of United States legislation protecting the personal data of smartphone users has made it possible for companies to harvest a wide variety of app users’ data. The resulting mobile app ecosystem lacks proactive end-user privacy protections; rather smartphone users are forced to reactively address privacy violations. We share three studies we conducted to inform the design of tools smartphone users can employ to assess the data collection properties of an app, before they make their data vulnerable by downloading the app. Specifically, we examine what role the average user should have in this proactive data protection system, following Cranor’s taxonomy of user roles in security systems. Our studies answer whether or not data collection has a significant impact on users’ trustworthiness assessment of mobile apps and whether users can detect the collection of specific data types with accuracy. Finally, we examine if our results from these studies – based on generic gaming apps – hold true for apps that handle sensitive medical data, specifically menstrual cycle tracking apps. Our results indicate that users are concerned with data collection, but have trouble accuracy detecting the collection of specific data types which, along with a literature review of current proactive privacy tools that have yet to be adopted at-scale, inform our suggestion for a proactive privacy tool. We suggest a multi- tiered system implemented at the app marketplace level that would provide smartphone users with information about the data collection properties of a given app, but would also allow them to decide whether they want to see a computed trust assessment score or make a decision for themselves based off a list of the data types collected.

The following are archival links for the work that may not be active until May 2022: