You’re not alone if you get the feeling that some of the Android apps that you use on your smartphone are a little too nosy, a little bit too eager to dig through your conversations, spy on your location, or take a look at the photos that you snap to share with your friends or family. Our Internet privacy is a dubious thing. So researchers are trying to figure out the best way for an operating system to help you take charge of your privacy, without overwhelming you with constant requests.
Researchers at the University of British Columbia and the University of California at Berkeley wrote a study called “Android Permissions Remystified: A Field Study on Contextual Integrity” (PDF) to explore the concept of contextual integrity, i.e., “how often applications access protected resources when users are not expecting it.” They collected 27 million data points to learn about the situations in which users would prefer to deny their Android apps some of the permissions that they request. The researchers concluded that users want to block “over a third of all requests.”
As Laura Hautala reports for CNET, questions like “Where are you right now?” or “Can I see a list of everyone you know?” or “Can I look through your photos?” are “impertinent questions from any source, including your smartphone.” So it’s no surprise that people who own Android phones wish that they could say no to the apps that make those requests. But Android’s problem with app permissions is not a dilemma that Google has been quick to solve.
With all versions of Android before Android Marshmallow, the operating system asks users to agree to a list of permissions that the app might use in the future. If the user is uncomfortable granting any of those permissions, the only choice is to forgo installing the app. But in Android Marshmallow, users are able to sign off on specific permissions before they install an app, and are prompted to grant permission the first time that an app requests access to different data types, like their location, their address book contacts, or their photos.
That sounds like a pretty good fix. But unfortunately, very few users are running the latest version of Android, with just over 2% of devices running Android 6.0 as of the latest count. And the researchers report that very few people actually read the permission requests (and even fewer comprehend them) when they’re installing an app. They’re also overwhelmed by the sheer number of permission requests they have to grant and privacy policies they have to accept, which can make it more difficult for them to understand exactly how they can expect their information to be used in the future
Researchers posit that privacy violations occur when users’ personal information is used in ways that defy their expectations. Their study found that a full third of the instances in which apps accessed data were doing so for purposes that ran counter to users’ expectations. To help users make informed decisions about how their data is being used, the researchers think that smartphones should ask for permissions only when an app’s access to sensitive data is likely to defy their expectations. And making it easier for users to fine-tune the permissions that an app is granted from a single interface, rather than through a series of pop-ups, would be a more practical option than the system that’s currently in place.
As Hautala reports, the problem underscores “how exhausting it is for us to manage our privacy, let alone figure out what we want our phones to do.” The situation also mirrors past operating systems’ struggles with how to handle users’ privacy and how often to ask them for permissions. Microsoft’s Windows Vista was criticized for asking users’ permission far too often, to complete even basic functions.
The question for Android is how the software can give users control over the things that they really care about, without overwhelming them with unnecessary requests. The fact that 80% of participants in the study would have said “no” to at least one permission request if they’d been given the opportunity — combined with the fact that the average participant wanted to say “no” to a third of all the permissions their phone has demanded in order to run apps — illustrates that it’s a question that’s far from figured out.