CAREER: Finding Levers for Privacy and Security by Design in Mobile Development

Mobile data are one of the fastest emerging forms of personal data. Ensuring the privacy and security of these data are critical challenges for the mobile device ecosystem. Mobile applications are easy to build and distribute, and can collect a large variety of sensitive personal data. Current approaches to protecting this data rely on security and privacy by design: encouraging developers to proactively implement security and privacy features to protect sensitive data. Although there are many technical innovations available to help developers protect user data, adoption of these innovations is low. Reasons for low adoption range from a lack of training in privacy or security design to the fact that privacy-enhancing features and best-practice data security measures are often expensive to implement, or even counter to business models that require user profiling or monitoring. Low adoption of privacy and security protection mechanisms is a social problem that inhibits a secure and trustworthy mobile ecosystem. It is unknown what factors can motivate developers to implement privacy or data security features when faced with disincentives such as longer development timelines, markets for personal data, and tensions between data protection and data-enabled services. Understanding developer decision-making is central to addressing this problem: the decisions made by developers are fundamental to enabling privacy and security by design to succeed.

This project 1) studies developers to discover work practices that encourage privacy and data security by design; and 2) builds tools to encourage such work practices. This project uses surveys and field experiments to determine factors that motivate privacy and security by design. It develops and test evidence-based toolkits for mobile developers to improve privacy and data security in the mobile data ecosystem. The project asks the following research questions:

1. How do mobile application developers define privacy and security by design?
2. What practices in mobile application development encourage developers to prioritize data protection?
3. How can development tools encourage developers to prioritize data protection during design?

By answering these questions, the project illuminates development culture, illustrates how developers understand privacy and security needs, and discovers practices that prioritize privacy and security. The project explains the impact of development practices on privacy and data security outcomes, advancing knowledge in software engineering and secure and trustworthy computing. Findings and products from this project support the rapidly developing mobile technology sector in enabling privacy and data security by design. Finding development practices that encourage privacy and data security by design improves technology transfer of technical innovations from the secure and trustworthy cyberspace research community, and bolsters protections for this sensitive data.

Duration:
September 2015 - September 2020

Principal Investigator(s):

• Katie Shilton

Research Funder:

• National Science Foundation

Total Award Amount:
$499,136.00

Research Areas:

• Data Privacy and Sociotechnical Cybersecurity
• Data Science, Analytics, and Visualization
• Information Justice, Human Rights, and Technology Ethics