Stopping spyware at the gate

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback
Take a look at the new version of this page: [ beta version ]. Tell us what you think.

Stopping spyware at the gate: a user study of privacy, notice and spyware

Full text

Pdf (395 KB)

Source

ACM International Conference Proceeding Series; Vol. 93 archive
Proceedings of the 2005 symposium on Usable privacy and security table of contents

Pittsburgh, Pennsylvania

Pages: 43 - 52

Year of Publication: 2005

ISBN:1-59593-178-3

Authors

Nathaniel Good	School of Information Management and Systems, UC Berkeley, Berkeley, CA
Rachna Dhamija	School of Information Management and Systems, UC Berkeley, Berkeley, CA
Jens Grossklags	School of Information Management and Systems, UC Berkeley, Berkeley, CA
David Thaw	School of Information Management and Systems, UC Berkeley, Berkeley, CA
Steven Aronowitz	UC Berkeley, Berkeley, CA
Deirdre Mulligan	UC Berkeley, Berkeley, CA
Joseph Konstan	University of Minnesota, Minneapolis, MN

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 7, Downloads (12 Months): 135, Citation Count: 5

Additional Information:

abstract references cited by index terms collaborative colleagues

Tools and Actions:	Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/1073001.1073006 What is a DOI?

Warning: The download time has expired please click on the item to try again.

ABSTRACT

Spyware is a significant problem for most computer users. The term "spyware" loosely describes a new class of computer software. This type of software may track user activities online and offline, provide targeted advertising and/or engage in other types of activities that users describe as invasive or undesirable.While the magnitude of the spyware problem is well documented, recent studies have had only limited success in explaining the broad range of user behaviors that contribute to the proliferation of spyware. As opposed to viruses and other malicious code, users themselves often have a choice whether they want to install these programs.In this paper, we discuss an ecological study of users installing five real world applications. In particular, we seek to understand the influence of the form and content of notices (e.g., EULAs) on user's installation decisions.Our study indicates that while notice is important, notice alone may not be enough to affect users' decisions to install an application. We found that users have limited understanding of EULA content and little desire to read lengthy notices. Users found short, concise notices more useful, and noticed them more often, yet they did not have a significant effect on installation for our population. When users were informed of the actual contents of the EULAs to which they agreed, we found that users often regret their installation decisions.We discovered that regardless of the bundled content, users will often install an application if they believe the utility is high enough. However, we discovered that privacy and security become important factors when choosing between two applications with similar functionality. Given two similar programs (e.g. KaZaA and Edonkey), consumers will choose the one they believe to be less invasive and more stable. We also found that providing vague information in EULAs and short notices can create an unwarranted impression of increased security. In these cases, it may be helpful to have a standardized format for assessing the possible options and trade-offs between applications.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Abrams, M., Eisenhauer, M. and Sotto, L. (2004) "Response to the FTC request for public comments in the Advance Notice of Proposed Rulemaking on Alternative Forms of Privacy Notices under the Gramm-Leach-Bliley Act", Center for Information Policy Leadership, March 2004. Available at: http://www.hunton.com/files/tbl_s47Details/FileUpload265/685/CIPL-Notices_ANPR_Comments_3.29.04.pdf
	2	Mark S. Ackerman , Lorrie Cranor, Privacy critics: UI components to safeguard users' privacy, CHI '99 extended abstracts on Human factors in computing systems, May 15-20, 1999, Pittsburgh, Pennsylvania [doi>10.1145/632716.632875]
	3	Alessandro Acquisti , Jens Grossklags, Privacy and Rationality in Individual Decision Making, IEEE Security and Privacy, v.3 n.1, p.26-33, January 2005 [doi>10.1109/MSP.2005.22]
	4	Acquisti, A. and Grossklags, J. (2005) "Uncertainty, Ambiguity and Privacy", Fourth Annual Workshop Economics and Information Security (WEIS 2005), MA, 2--3 June, 2005.
	5	AOL/NSCA Online Safety Study, America Online and National Cyber Security Alliance, October 2004. Available at: http://www.staysafeonline.info/news/safety_study_v04.pdf
	6	Lyn Bartram , Colin Ware , Tom Calvert, Moticons: detection, distraction and task, International Journal of Human-Computer Studies, v.58 n.5, p.515-545, May 2003 [doi>10.1016/S1071-5819(03)00021-1]
	7	Oliver Berthold , Marit Köhntopp, Identity management based on P3P, International workshop on Designing privacy enhancing technologies: design issues in anonymity and unobservability, p.141-160, January 2001, Berkeley, California, United States
	8	Cranor, L., Reagle, J., and Ackerman, M. (1999) "Beyond Concern: Understanding Net Users' Attitudes About Online Privacy", AT&T Labs-Research, April, 1999.
	9	Paul Dourish , David Redmiles, An approach to usable security based on event monitoring and visualization, Proceedings of the 2002 workshop on New security paradigms, September 23-26, 2002, Virginia Beach, Virginia [doi>10.1145/844102.844116]
	10	Earthlink (2005) "Results complied from Webroot's and EarthLink's Spy Audit programs". Available at: http://www.earthlink.net/spyaudit/press/ (last accessed February 25, 2005)
	11	Gilbert, D., Morewedge, C., Risen, J. and Wilson, T. (2004) "Looking Forward to Looking Backward: The Misprediction of Regret", Psychological Science, Vol. 15, No. 5, pp. 346--350.
	12	Nathaniel S. Good , Aaron Krekelberg, Usability and privacy: a study of Kazaa P2P file-sharing, Proceedings of the SIGCHI conference on Human factors in computing systems, April 05-10, 2003, Ft. Lauderdale, Florida, USA [doi>10.1145/642611.642636]
	13	HIPAA Highlights Privacy Notice, Press Release, Center for Information Policy Leadership, Hunton and Williams http://www.hunton.com/news/news.aspx?nws_pg=7&gen_H4ID=10 102 (last accessed May 24, 2005)
	14	Bettman, J. R., Payne, J. W. and Staelin, R. (1986) "Cognitive Considerations in Designing Effective Labels for Presenting Risk Information," J. Pub. Pol'y & Marketing, 5, pp. 1--28.
	15	Carlos Jensen , Colin Potts, Privacy policies as decision-making tools: an evaluation of online privacy notices, Proceedings of the SIGCHI conference on Human factors in computing systems, p.471-478, April 24-29, 2004, Vienna, Austria [doi>10.1145/985692.985752]
	16	PC Pitstop (2005) "It pays to read EULAs". Available at <u>http://www.pcpitstop.com/spycheck/eula.asp</u> (last accessed May 24, 2005)
	17	Platform for Privacy Preferences Project (P3P). http://www.w3.org/P3P/
	18	Sarah Spiekermann , Jens Grossklags , Bettina Berendt, E-privacy in 2nd generation E-commerce: privacy preferences versus actual behavior, Proceedings of the 3rd ACM conference on Electronic Commerce, p.38-47, October 14-17, 2001, Tampa, Florida, USA [doi>10.1145/501158.501163]
	19	J. Gregory Trafton , Erik M. Altmann , Derek P. Brock , Farilee E. Mintz, Preparing to resume an interrupted task: effects of prospective goal encoding and retrospective rehearsal, International Journal of Human-Computer Studies, v.58 n.5, p.583-603, May 2003 [doi>10.1016/S1071-5819(03)00023-5]
	20	Van Dantzich, M., Robbins, D., Horvitz, E. and Czerwinski, M. (2002) "Scope: Providing awareness of multiple notifications at a glance", in: Proceedings of Advanced Visual Interfaces 2002, Trento, Italy.
	21	Wired. "Spyware on My Machine? So What?":http://www.wired.com/news/technology/0,1282,65906,00.html

CITED BY 5

	Rachna Dhamija , J. D. Tygar, The battle against phishing: Dynamic Security Skins, Proceedings of the 2005 symposium on Usable privacy and security, p.77-88, July 06-08, 2005, Pittsburgh, Pennsylvania
	Shirley Gaw , Edward W. Felten , Patricia Fernandez-Kelly, Secrecy, flagging, and paranoia: adoption criteria in encrypted email, Proceedings of the SIGCHI conference on Human Factors in computing systems, April 22-27, 2006, Montréal, Québec, Canada
	Umesh Shankar , Chris Karlof, Doppelganger: Better browser privacy without the bother, Proceedings of the 13th ACM conference on Computer and communications security, October 30-November 03, 2006, Alexandria, Virginia, USA
	Nathaniel S. Good , Jens Grossklags , Deirdre K. Mulligan , Joseph A. Konstan, Noticing notice: a large-scale experiment on the timing of software license agreements, Proceedings of the SIGCHI conference on Human factors in computing systems, April 28-May 03, 2007, San Jose, California, USA
	Giovanni Iachello , Jason Hong, End-user privacy in human-computer interaction, Foundations and Trends in Human-Computer Interaction, v.1 n.1, p.1-137, January 2007