Investigating Users' Understanding of Privacy Policies of Virtual Personal Assistant Applications

Chen, B; Wu, T; Zhang, Y; Chhetri, MB; Bai, G

Investigating Users' Understanding of Privacy Policies of Virtual Personal Assistant Applications

Chen, B Wu, T Zhang, Y

Chhetri, MB Bai, G

Permalink

Publisher:: ASSOC COMPUTING MACHINERY
Publication Type:: Conference Proceeding
Citation:: Proceedings of the ACM Conference on Computer and Communications Security, 2023, pp. 65-79
Issue Date:: 2023-07-10

Closed Access

	Filename	Description	Size
	23‘ AsiaCCS PP-VPA.pdf	Accepted version	1.76 MB	Adobe PDF	View/Open

Copyright Clearance Process

Recently Added
In Progress
Closed Access

This item is closed access and not available.

Full metadata record

Field	Value	Language
dc.contributor.author	Chen, B
dc.contributor.author	Wu, T
dc.contributor.author	Zhang, Y https://orcid.org/0000-0001-5611-3483
dc.contributor.author	Chhetri, MB
dc.contributor.author	Bai, G
dc.date	2023-07-10
dc.date.accessioned	2024-02-01T00:45:28Z
dc.date.available	2024-02-01T00:45:28Z
dc.date.issued	2023-07-10
dc.identifier.citation	Proceedings of the ACM Conference on Computer and Communications Security, 2023, pp. 65-79
dc.identifier.isbn	9798400700989
dc.identifier.issn	1543-7221
dc.identifier.uri	http://hdl.handle.net/10453/175175
dc.description.abstract	The increasingly popular virtual personal assistant (VPA) services, e.g., Amazon Alexa and Google Assistant, enable third-party developers to create and release VPA apps for end users to access through smart speakers. Given that VPA apps handle sensitive personal data, VPA service providers require developers to release a privacy policy document to declare their data handling practice. The privacy policies are regarded as legal or semi-legal documents, which are usually lengthy and complex for users to understand. In this work, we conducted a subjective study to investigate the level of users' understanding of the privacy policies, targeting the VPA apps (i.e., skills) of Amazon Alexa, the most popular VPA service. Our study focused on technical terms, one of the greatest hurdles to users' understanding. We found that 84.2% of our participants faced difficulty in understanding technical terms appeared in the skills' privacy policies, even for participants with IT background. Additionally, 64.3% of them reported that explanations for the technical terms are generally lacking. To address this issue, we proposed two principles, i.e., domain-specificity principle and implication-oriented principle, to guide skill developers in creating easy-to-understand privacy policies. We evaluated their effectiveness by creating explanation sentences for 23 representative terms and examining users' understanding through a second user study. Our results show that using explanation sentences based on these principles can significantly improve users' understanding.
dc.language	en
dc.publisher	ASSOC COMPUTING MACHINERY
dc.relation.ispartof	Proceedings of the ACM Conference on Computer and Communications Security
dc.relation.ispartof	18th ACM ASIA Conference on Computer and Communications Security (ASIA CCS)
dc.relation.isbasedon	10.1145/3579856.3590335
dc.rights	info:eu-repo/semantics/closedAccess
dc.title	Investigating Users' Understanding of Privacy Policies of Virtual Personal Assistant Applications
dc.type	Conference Proceeding
utslib.location.activity	AUSTRALIA, Melbourne
pubs.organisational-group	University of Technology Sydney
pubs.organisational-group	University of Technology Sydney/Faculty of Engineering and Information Technology
pubs.organisational-group	University of Technology Sydney/Faculty of Engineering and Information Technology/School of Computer Science
utslib.copyright.status	closed_access	*
dc.date.updated	2024-02-01T00:45:27Z
pubs.finish-date	2023-07-14
pubs.publication-status	Published
pubs.start-date	2023-07-10

Abstract:

The increasingly popular virtual personal assistant (VPA) services, e.g., Amazon Alexa and Google Assistant, enable third-party developers to create and release VPA apps for end users to access through smart speakers. Given that VPA apps handle sensitive personal data, VPA service providers require developers to release a privacy policy document to declare their data handling practice. The privacy policies are regarded as legal or semi-legal documents, which are usually lengthy and complex for users to understand. In this work, we conducted a subjective study to investigate the level of users' understanding of the privacy policies, targeting the VPA apps (i.e., skills) of Amazon Alexa, the most popular VPA service. Our study focused on technical terms, one of the greatest hurdles to users' understanding. We found that 84.2% of our participants faced difficulty in understanding technical terms appeared in the skills' privacy policies, even for participants with IT background. Additionally, 64.3% of them reported that explanations for the technical terms are generally lacking. To address this issue, we proposed two principles, i.e., domain-specificity principle and implication-oriented principle, to guide skill developers in creating easy-to-understand privacy policies. We evaluated their effectiveness by creating explanation sentences for 23 representative terms and examining users' understanding through a second user study. Our results show that using explanation sentences based on these principles can significantly improve users' understanding.

Please use this identifier to cite or link to this item:

http://hdl.handle.net/10453/175175