See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/239761048

Third-party apps on Facebook: Privacy and the illusion of control

Article · December 2011

DOI: 10.1145/2076444.2076448

CITATIONS READS
67 2,600

3 authors, including:

Heng Xu
Pennsylvania State University
121 PUBLICATIONS   4,548 CITATIONS   

SEE PROFILE

All content following this page was uploaded by Heng Xu on 05 October 2014.

The user has requested enhancement of the downloaded file.

 Third-Party Apps on Facebook:
Privacy and the Illusion of Control
Na Wang Heng Xu Jens Grossklags
The Pennsylvania State University The Pennsylvania State University The Pennsylvania State University
University Park, PA 16802 University Park, PA 16802 University Park, PA 16802
[email protected] [email protected] [email protected]

ABSTRACT According to publicly available information, Facebook users share

Little research examines the privacy threats associated with the more than 30 billion pieces of content (e.g., web links, news
use of third-party apps on Facebook. To address this gap in the stories, blog posts, notes, photo albums), and interact with over
literature, we systematically study third-party apps' current 900 million objects each month [1]. These high-volume
practices for privacy notice and consent by: i) collecting data from information exchange activities introduce a variety of privacy
the 1800 most popular Facebook apps to record their data risks for Facebook users. As identified by prior privacy research,
collection practices concerning users and their friends, and ii) these may include, but are not limited to, accidental information
developing our own Facebook app to conduct a number of tests to disclosure, damaged reputation and image, unwanted stalking, and
identify problems that exist in the current design of authentication reconstruction of users’ identities [6, 7, 10, 13].
dialogs for third-party apps on Facebook. To address these Adding to these concerns, a Wall Street Journal (WSJ) study
problems, we propose two new interface designs for third-party found numerous third-party applications (apps) on Facebook
apps’ authentication dialogs to: i) increase user control of apps' extracting identifiable user information from the platform and
data access and restrict apps' publishing ability during the process sharing this bounty with advertising companies [20]. Thus, an
of adding them to users’ profiles, and ii) alert users when their additional dimension that represents the complexity of studying
global privacy settings on Facebook are violated by apps. This privacy risks on Facebook is introduced by the large amount of
research provides both conceptual and empirical insights in terms information interaction between third-party developers and
of design recommendations to address privacy concerns toward Facebook users.
third-party apps on Facebook.
To the best of our knowledge, there is little research on addressing
Categories and Subject Descriptors the privacy threats associated with the use of Facebook third-party
D.4.6 Security and protection, H.5.2 User Interfaces apps. In addition to the WSJ article, Besmer and Lipford
examined users’ motivations, intentions, and concerns with using
General Terms applications, as well as their perceptions of data sharing. Their
Design, Security, Human Factors. results indicate that Facebook users are not truly understanding
and consenting to the risks of apps maliciously harvesting profile
Keywords information [4]. Similarly, King and her colleagues also studied
Privacy, Third-Party Applications (Apps), Control, and Online users’ misunderstandings and confusion concerning apps’
Social Networks, Notice and Consent. functionality and information practices [17]. Taking an
engineering view, Hull et al. suggest visualization enhancements
1. INTRODUCTION of the third-party apps’ information accessing and publishing
In recent years, Online Social Networks (OSNs) have moved from practices [15]. In doing so, users might have a better awareness
being a niche phenomenon to mass adoption. Facebook, for how the app will use their information and thus users might be
example, has transformed from a localized college network able to avoid some undesirable information leakage.
website to one of the most popular OSNs with more than 750
million active users around the world [1]. There is now sufficient Regarding generic Facebook privacy settings, Lipford et al.
evidence showing that Facebook gradually expands into a designed an interface with a better audience view [18]. In
ubiquitous giant information repository which documents users’ critiquing Facebook’s available privacy control options, they
personal data and logs users’ interaction information with their identified some design flaws that might lead to users’
friends and various objects (i.e., pages, groups, events, and misunderstandings. In another study, Shehab and his coauthors
community pages). developed a Firefox browser extension that allows users to
configure their privacy settings at the time when they installed the
Permission to make digital or hard copies of all or part of this work for apps and provides recommendations on requested information
personal or classroom use is granted without fee provided that copies are [19].
not made or distributed for profit or commercial advantage and that
copies bear this notice and the full citation on the first page. To copy However, previous research does not examine the circumstances
otherwise, or republish, to post on servers or to redistribute to lists, under which users’ global privacy settings are potentially violated
requires prior specific permission and/or a fee. by third-party apps. Related work does also not address how to
ACM CHIMIT ’11, December 4, 2011, Boston, MA, USA. improve the notice and consent mechanism to more effectively
alert users when such violations happen, and when more attention
Copyright © 2011 ACM 978-1-4503-0756-7/11/12... $10.00 should be invested by the user.
More specifically, to address these concerns, we aim to provide 2.2 Information Control between Users and
Facebook users with: 1) better control options to limit third-party
apps' data read, write and page manage abilities on Facebook, and Third-Parties
2) better warning mechanisms to inform users under such In addition to provisions to limit information access among users,
circumstances when their privacy settings are violated by third- Facebook also provides mechanisms to restrict information
party apps. transmission between users and third-party apps, even though
these mechanisms are found to be problematic later in our study.
To achieve these goals, we first examine the current
implementation of user information control on Facebook (e.g., To limit third-party apps’ information access, Facebook primarily
how to limit their information sharing with other users and third- relies on the OAuth 2.0 protocol which is used for third-party
party apps), followed by analyzing patterns of personal authentication and authorization. In the traditional client-server
information transmission from users to third-party apps. Our authentication model, the client can access a protected resource on
results confirm that there is a large amount of users’ personal the server by authenticating with the server using the resource
information transmitting from Facebook to external entities. We owner’s credentials. OAuth 2.0 adds an authorization layer and
further investigate information transmission using actual field data separates the role of the client (third-party application) from that
from the 1800 most popular third-party apps on Facebook. Our of the resource owner (Facebook user) [14]. Figure 2
results provide a preliminary but detailed picture of personal demonstrates the flow of the OAuth 2.0 protocol.
information transmission in the wild, rather than as discerned
through surveys and laboratory experiments. We also develop our
own Facebook app to conduct a series of tests for the purpose of
observing third-party apps' practices for privacy notice and
consent. Based on these insights learned from our tests, we point
out several flaws that exist in the current design of authentication
dialogs for third-party apps. In hoping to address these problems,
we propose and evaluate two new interfaces for the authentication
dialog to help users better manage their personal information
transmission on Facebook. The paper concludes with a discussion
of theoretical and design implications, and directions for future
research.

2. OVERVIEW OF PRIVACY CONTROL

OPTIONS ON FACEBOOK
2.1 Information Control among Users
Users can adjust their privacy settings to set limits for other users’
ability to access uploaded and created content. By adjusting these
Figure 2. The OAuth 2.0 protocol as of 5/10/2011.
settings, Facebook users can: 1) control basic information their
friends will use to find them on Facebook; 2) control who can see
what they share; and 3) edit lists of blocked people. Figure 1 2.2.1 Authentication before Installing Apps
shows the interface of the global privacy settings. Under the OAuth 2.0 protocol, when a user wants to add an
application to her Facebook profile, the application is required to
ask the user for her authorization to access, for example, basic
information and/or other shared data on Facebook. Figure 3
includes a representative example of the user interface associated
with this privacy authentication dialogue.
In the sample authentication dialog shown in Figure 3, the first
category “access my basic information” represents the default
information that will be accessed by the app, which includes
user’s basic information such as name, profile picture, gender,
network, user ID, list of friends, and any other information the
user has shared with everyone. If the app developer anticipates a
need for information beyond these basic categories, she will need
to request extended permission(s) from the user. As shown in
Figure 3, in addition to the category of “basic information”, the
apps could request extended permissions to access more data (e.g.,
contact information, photos, videos and friends’ information, etc.)
or to act on behalf of the user (e.g., to post on users’ wall, and
send text messages to users).1

1
There are a total of 60 extended permissions for additional reading,
Figure 1. User Interface of Privacy Settings on Facebook as of writing, and page management operations (as of 5/10/2011). See URL:
5/10/2011. http://developers.facebook.com/docs/authentication/permissions.
 categories are business, education, entertainment, friends &
family, games, just for fun, lifestyle, sports, and utilities. We
collected data from the top 200 most popular applications from
each category. By going through the list of these applications, we
recorded the profile page URL for each application. Then, we
used the software “Locoyspider” to collect and save data from
these profile pages, as well as record the number of monthly
active users for these applications. Next, we used the list of “Go to
App” URLs to either access the authentication dialog (“Request
for Permission”) which lists all the information that the app
requests from users, or to be redirected to the app’s external page.
In our dataset, we only consider those applications which would
pop-up the privacy authentication dialog after clicking the button
of “Go to App”. From these authentication dialogs, we capture the
types of information each app desires to access from users.
Combining this information (i.e., types of information requests)
with the number of monthly active users for each application, we
can count how many times a specific type of information is
released to an app within a month.
Among those 1800 most popular applications, there were 1305
Figure 3. Current Third-Party Apps’ Authentication Dialog as applications displaying authentication dialogs when they
of 5/10/2011. requested data access from users. From the end user’s perspective,
there were 12 categories of information/behavior requested by the
authentication dialogs. For each category of these requests, we
2.2.2 Information Control after Installing Apps first compiled a list of applications that require it. We summed up
In the Facebook privacy settings, there is a section called “Apps the number of monthly active users for each application on the list
and Websites” which enables users to control certain aspects of to get the total number of users who were requested for this type
the information sharing between them and previously installed of information. We treat this total number as the total times that
apps. As shown in Figure 4, users could remove some such user information is requested per month (see Table 1).
information categories from this list, which would make that type
of information no longer available to the app. There are, however,
four categories of information that cannot be removed (i.e., “Send Table 1. Authorization Requests Presented to the User.
me email”, “Access my profile information”, “Access my friends’ Data Category/ Number of apps Total times a
information”, and “Access my photos and videos”). Access Category requesting category category is
(percentage of apps requested by apps
requesting category)
Access my basic
1305 (100%) 857,821,274
information
Send me email 454 (34.79%) 238,991,048
Post to my wall 670 (51.34%) 137,473,280
Access my profile
148 (11.34%) 178,912,316
information*
Access my data any
76 (5.82%) 17,450,664
time
Manage my pages 8 (0.61%) 237,067
Figure 4. Post-Installation Privacy Settings for Apps as of Access my photos
5/10/2011. 128 (9.81%) 43,227,008
and videos
Access my friends’
148 (11.34%) 68,436,680
3. THIRD-PARTY APPS’ DATA information
Access posts in my
COLLECTION PRACTICES 66 (5.06%) 30,635,352
News Feed
In this section, we discuss the scope of user information that apps Online Presence 16 (1.23%) 4,003,824
could potentially collect from users of the Facebook platform and Access my family &
transmit to advertising companies or other third parties. Field data 28 (2.15%) 6,617,296
relationship
from the most popular 1800 third-party apps on Facebook was Access Facebook
collected in December 2010 and analyzed to investigate third- 8 (0.61%) 1,739,160
Chat
party apps’ data collection practices. Send me SMS
10 (0.77%) 1,195,720
messages
From the Facebook application directory2, we locate the URLs for * User information accessed by this category may vary based on different
the most popular 1800 applications in nine categories. These nine app requests.

2
See URL: https://www.facebook.com/directory/applications/.
As shown in Table 1, more than 850 million times users were 4.1.2 Further Tests of Privacy Violations
asked to release their basic information to applications. Further, In the above case, we used “birthday” as a representative type of
the top three most frequently requested extended permissions are: personal information to supply an example of third-party apps
“Send me email”, “Access my profile information”, and “Post to overriding users' privacy settings. We further utilized our own app
my Wall”. “Permission Experiment” to run several similar tests for other
types of information. Our results indicate that the privacy breach
4. THIRD-PARTY APPS' PRACTICES FOR demonstrated in the case of “Happy Calendar 2011” is
generalizable to many different types of information requests. As
PRIVACY NOTICE AND CONSENT long as a user grants the app the permission to access her own and
To examine the current privacy notice and consent practices by her friends’ data, in conjunction with a publishing permission,
third-party apps on Facebook, we developed our own Facebook then user’s profile information like “birthday” but also other
app “Permission Experiment” and performed a series of tests to contents (e.g., photos, videos, comments, and everything she
address the following two questions: shared), could be accessed and released by that app. Thus, we
Question 1 (Q1): To which extent could third-party apps override conclude with respect to Q1 that privacy violations may exist
users' global privacy settings on Facebook? when there is conflict between users’ privacy settings and apps’
Question 2 (Q2): To which extent does the authentication dialog data collection and publishing practices. Our tests confirm that
truly reflect the third-party apps' information practices? Facebook’s powerful API enables application developers to
collect and publish user data in an aggressive fashion.
We present our findings in the sub-sections below.
4.2 Tests of Reflection (Q2)
4.1 Tests of Privacy Violations (Q1) Question 2 asks about the extent to which the authentication
4.1.1 A Case of “Happy Calendar 2011” dialog truly reflects the third-party apps' information practices. To
User A prefers to block disclosure of her birthday. Accordingly, address this question, we use our app “Permission Experiment” to
her privacy setting for this information category is “Only me”, request different extended permissions from a hypothetical user
which means her birthday cannot be seen by other users on account (User A) and examine the scope of information that can
Facebook except herself. When this user adds the app “Happy be accessed when the permission is being granted. The following
Calendar 2011” to her profile, she is asked to grant the app procedures state the process of our tests:
permissions to access her and her friends’ birthdays and to publish
them. Like most users, User A immediately grants the app all Step 1. Different extended permissions were added to the source
requested permissions. Later, User A finds out that “Happy code of our app “Permission Experiment” for requesting extended
Calendar 2011” created an album in her profile and posted all her permissions from User A.
friends’ birthdays that she can access, as well as her own, in a Step 2. Observe how the authentication dialog changed
calendar image with their profile pictures being visible in the correspondingly.
corresponding date fields (see Figure 5). Moreover, User A’s Step 3. The app “Permission Experiment” was added to the user’s
friends received a wall post notifying them of the creation of this profile.
album and how they can access it. As a result, the “birthday”,
which User A intended to keep private, is now accessible by her Step 4. Referred to the Facebook developer’s documentation to
friends. We consider this case as a privacy violation in which the carefully examine these extended permissions, e.g., what kind of
third-party app overrides users' global privacy settings. user information can be accessed by the app.
Step 5. Went to User A’s “Apps and Websites” settings to observe
which extended permission(s) can be removed.
Next, we discuss our findings.
4.2.1 Chaotic Display
When developers change the source code to request different
permissions for accessing users’ personal information or
publishing rights, the authentication dialog will change, however,
the display can be chaotic. For example, when the app is asking to
access photos and videos uploaded by the user’s friends as well as
those photos and videos friends were tagged in, the display of
these two groups of permissions would look confusing, as
highlighted in Figure 6.
Regarding the phrase of “Photos, Videos and Photos and Videos
of Them” marked by the red line in Figure 6, we anticipate users
to experience confusion concerning its implications. Further, the
somewhat awkward treatment of English grammar does very
likely reduce users’ understanding. Thus, it might be very difficult
for them to understand the meaning and implication of these
extended permissions.

Figure 5. A Case of Privacy Breach by Third-Party Apps.

 and comment have their own properties and further connected
objects, which distribute this permission further. In Figure 8, we
demonstrate the scope of accessible information after granting
permission.
Based on our case analysis of “Access my photos”, we conclude
that the prompting messages displayed in the authentication dialog
fail in informing users about the actual scope of personal
information that will be accessed by the app. If one app asks for
extended permissions to access a certain object, with that
permission being granted, the app can access not only all of its
non-permission required properties but also its connected objects’
properties.3 Furthermore, if the second-level objects are connected
to some third-level objects that are not included in the permission
request, those third-level objects’ properties will be available to
the app. And this information access chain will not stop until it
reaches an object that does not have any further object connecting
Figure 6. Chaotic Display of Extended Permissions (Marked to it.
in Red) as of 5/10/2011.
4.2.3 Limited Control
In the current design of the authentication dialog, we found that
4.2.2 Insufficient Reflection there is no way for users to limit the apps' information access or
publishing abilities during the installation process. Even the post
To further address our second question (Q2), we use a simple case
installation information settings cannot sufficiently help users to
of “Access my photos” to demonstrate whether the authentication
control what information they share with apps. In “Settings for
dialog will truly reflect the third-party apps' information practices.
Websites and Apps”, users could only remove some categories of
When our app “Permission Experiment” requests an extended
the extended permission(s). But users have no control options for
permission to access user photos (“user_photos”), users will see a
those extended permissions marked as “required” (see Figure 4).
corresponding authentication dialog (as shown in Figure 7) when
they add the app. Surprisingly, even developers cannot define removable or
required extended permissions. In our tests, without any specific
definition in our source code, when we asked for different
extended permissions, some of these were marked as required and
thus cannot be removed from the “Settings for Websites and
Apps”. In contrast, other extended permissions were available for
removal by users. So far, we have not found the patterns regarding
when and what extended permissions could be removed by users.
5. PROPOSED NEW DESIGNS
5.1 Design Principles
Our analyses and tests of third-party apps' current practices for
privacy notice and consent have identified a number of problems
that exist in the current design of the authentication dialogs.
Although, we are aware of the fact that there is no panacea for
privacy settings, there is room for serious improvement. Our
results suggest a number of heuristics to improve the design and
Figure 7. The Authentication Dialog for the Extended the effectiveness of privacy notice and consent:
Permission “user_photos” as of 5/10/2011. Known information – The authentication dialog should provide
explicit signals for users to distinguish what data would be
accessed by the app and how the data would be used.
In this dialog window, the extended permission asking for access
to user photos is explained as data access request for “Photos Control before allowing – The authentication dialog should
uploaded by me”. This explanation is confusing because users provide options for users to control the app’s data reading and
might easily entertain the belief that only the photos they have writing practices before adding the app to their profiles.
shared on Facebook would be accessed by that app.
However, in fact, with this simple “user_photos” permission being
granted, the real amount of information that the app could access 3
"Non-permission required properties" can be fetched without any
is far more substantial and exceeds the shared photos themselves. extended permission (e.g., all properties related to comments on
More specifically, the “user_photos” permission actually enables Facebook, including id, from, message, created time, likes, user likes and
the app to access all albums objects the user has created. For each type). To be more specific, if a user grants an app access to her photos,
album object, it has ten properties and three connected objects then this app can also access all the comments posted under this user's
(photo, comment, and picture) which do not require any photos.
permission. And within those three connected objects, both photo
 Figure 8. The Real Amount of Information Could Be Released After Granting Permission “user_photos” as of 5/10/2011.

Conflict caution – The authentication dialog should provide As Carroll highlighted in his book [9], “people rely on analogies
warning signals to the users when data and publishing permissions with familiar, readily envisaged domains to build mental models
requested by the app will violate their global privacy settings. of less-familiar, less-visible domains”. Following this design
Privacy indication – The authentication dialog should reflect a guideline, we have adopted icons and color themes that are well
user’s current privacy settings. consistent with users’ mental models in their familiar and readily
envisaged domains. For instance, as a sign for alert in our daily
The first three design principles were developed to address the life, we have used the red exclamation mark to indicate the
identified flaws that exist in current designs of authentication conflict between users’ privacy settings and apps’ requests for
dialogs. The fourth design principle was developed to test whether data access.
users want the authentication dialog to further reflect their privacy
settings. In order to better isolate the implications of the fourth Envisioned by the proposed design heuristics and previous
design principle, we split our analysis by providing two new analyses, we now present our alternative interfaces for privacy
designs addressing different aspects of our suggestions. authentication dialogs by third-party apps on Facebook.

5.2 Alternative Interfaces 5.2.1 Monochrome Authentication Dialog (MONO)

Kelley et al. developed a privacy “nutrition label” that presents to The MONO interface design of the authentication dialog aims to
consumers the ways organizations collect, use, and share personal fulfill the first three design principles (see Figure 9).
information [16]. Their design, inspired by the field of the Below we describe our major design elements.
nutrition warnings and advice, aims to: 1) clearly highlight the
The Layout of Permissions: All types of data (basic information
meaning of different labels so that users can easily understand the
and data reading permissions) required by the app are listed in the
different sets of information; 2) use different font highlights to
first column. The first row displays the information regarding how
separate sets of information in order to expedite the users’
the app will use the data (including data writing and page
navigation through the list; and 3) have a bold and clear title to
management permissions).
inform the user of the purpose of the information in each section
[2, 3, 8, 11]. In this research, we aim to include similar design
elements in our designs.
 People…”, or “Only Me”. For example, if a user’s privacy setting
for “Birthday” is “Friends Only” or “Friends of Friends”, then in
the authentication dialog, the background of the checkboxes in the
“Birthday” row will be marked yellow. In this case, the app would
be able to access this personal information item while other users
may have partially restricted access. Even though the original
user's privacy setting is not directly violated by the app, there
might be some potential privacy risks for the user to allow the app
to access these data.

Figure 9. Proposed MONO Interface Design.

The Tick Mark and Checkbox: Un-clickable tick marks

represent those types of information that will be accessed and
used by the app. Users have to give out corresponding information
to use the app. The checked check box means that users will allow
the app to access and use certain information. The un-checked
check box means that users will not allow the app to access or use
the corresponding information.
The Red Exclamation Point: When the information requested by Figure 10. Proposed POLY Interface Design.
the app conflicts with the user’s privacy settings, the red
exclamation point alerts users about the potential conflict.
Shortcut Buttons: We add two buttons to help users control how
6. PRELIMINARY USER EVALUATION
the app accesses and publishes their information. When clicking To gain a preliminary understanding of user feedback, we
„Follow My Privacy Settings‟, those check boxes with the red conducted a qualitative study to evaluate the MONO and POLY
exclamation point alert will be unchecked. Under this situation, designs. The intent of this evaluation approach is to ensure that
the app will not be allowed to use these specific types of the design principles identified in the conceptual analysis are
information. When clicking „Uncheck All‟, all the check boxes adequately met in the opinion of the target user population. We
will be unchecked, i.e., only required types of information will be considered protecting one’s privacy as a sensitive topic; there may
shared. be social implications to responses people give. When collecting
data about sensitive topics, it is appropriate to utilize open ended
5.2.2 Polychrome Authentication Dialog (POLY) questions to permit respondents expressing themselves in a way
Our second design of the authentication dialog, the POLY design, that they do not feel threatened, and allowing them to say as much
is an enhanced version of the MONO design, with a three-color or as little as they would like and not be confined to a limited set
scheme to reflect users’ privacy settings, which addresses the of answers that are available in a Likert-type survey design.
fourth design principle (see Figure 10).
GREEN indicates the current privacy setting for the 6.1 Participants and Procedure
corresponding information is “Everyone” and it will NOT be Participants were recruited from junior/senior levels of
violated by adding the app to the user’s Facebook account. undergraduate classes at a public university in the United States.
RED indicates the current privacy setting for that information is We specified that participants must be active Facebook users.
“Only Me” or “Specific People…” and it will be violated by Two extra credit points were awarded for their participation in this
adding the app to the user’s Facebook account. study. There were in total eleven participants who consented to
partake in our user study. Among these eleven participants, two
YELLOW indicates the current privacy setting for that
were female and nine were male; and they identified their ages as
information is something beyond “Everyone”, “Specific
20 to 24.
Participants were first asked to review the third-party apps they participant questioned the effectiveness of POLY design in the
added to their Facebook accounts and recall their installation and situation where a user’s privacy settings were too strict to be
user experience, followed by the introduction of our proposed reflected by the POLY interface.
MONO and POLY designs. The next series of questions was Interestingly, the participants also mentioned other perspectives
aimed at evaluating our new designs. Participants were asked to which were out of scope of our design considerations:
respond to open-ended questions about their attitudes toward our
proposed MONO and POLY designs, e.g., whether they want the Friends’ Information
authentication dialog to reflect their privacy settings on Facebook, Four participants mentioned the ability for an application to gather
and to what extent our POLY design could reflect their privacy information about one’s friends should be another issue to be
settings. Finally, participants were asked to compare and contrast addressed. This is because “[the user‟s] friends never download
three types of authentication dialog designs: the current one on or agreed to the application‟s term”, and the user “does not own
Facebook, the MONO design, and the POLY design. [his or her] friends‟ information”. If the user is not diligent about
setting secure privacy settings, the apps may be able to access
6.2 Data Analysis and Results his/her friends’ information. This is especially unfair for his/her
The data collected was coded based on a set of rules developed friends who may be proactive and try to make smart privacy
from the questions asked, as well as information received from the choices.
question responses. As the first step, we examined participants’
responses to the open-ended questions and identified significant Transparency of Information Flow
concepts and aspects through content analysis of their answers. One participant advocated for the idea that “the information
We then applied a more thorough process to code their answers extracted from a user‟s profile should be monitored” in a real
for in-depth analysis. In this procedure, we examined the patterns time fashion. In this way, the user could quickly access when and
in subjects’ responses and attempted to correlate concepts what information was accessed and used by the apps. One
generated in the coding process. By doing this, we expected to participant also suggested the authentication dialog to inform the
find out participants’ attitudes and preferences on the current user “why the app need the information they take”.
Facebook apps' authentication dialogs and our newly proposed 6.2.2 Comparing Two Designs
MONO and POLY designs. More importantly, we expected these We asked participants to compare and contrast three types of
results could infer a better authentication dialog design in practice.
authentication dialog designs: 1) the current one on Facebook, 2)
6.2.1 General Attitudes toward New Designs the MONO design, and 3) the POLY design. Based on our data
The advantages of our new designs in terms of providing users coding, we developed four comparison themes in Table 2.
with better control options to limit apps’ information activities Table 2. Comparing Two Designs.
and better warning mechanisms to inform them about privacy
violations have been confirmed by participants. All participants Comparing Themes Authentication Dialog Designs
highlighted the importance of improving current privacy
Visual Effects Ability to grab users’ attention.
authentication dialogs on Facebook. For example, participants
commented the following: Perceived information Participants’ perceived effectiveness of
control ability authentication dialogs in helping users
better control the app’s information
“[T]he proposed designs are vastly superior to the current design.” accessing and publishing practices.
“Both the MONO and POLY dialog screens are effective ways of Perceived effectiveness Participants’ perceived effectiveness of
allowing users to see and change application requests for in alerting potential authentication dialogs in alerting users
information.” privacy violations about potential privacy violations.
“Both designs address basic issues such as notifying whether or Overall likability The extent to which a person likes the
not the third-party app will violate previously established privacy design of the authentication dialog.
settings. They do an excellent job informing the user about the
consequences of using the application.”
Visual Effects
All participants highlighted that both MONO and POLY were
When asked whether they want the authentication dialog to reflect good at grabbing users’ attention. Three participants thought the
their Facebook privacy settings, all participants responded new design with the exclamation point in red were attention
positively. They would like the authentication dialog to reflect grabbing. They believed that with the implementation of the new
their privacy settings “because it will help them manage their designs on Facebook, users would definitely pay more attention to
privacy and security” and “forces [them] to be more aware of privacy and security issues.
their privacy settings”. They also believe the reflection of their One participant thought that the introduction of the color in POLY
privacy settings on the authentication page could help them to was too distracting for users. However, the majority of
avoid possible violations caused by third-party apps: participants believed that the POLY design did a better job than
the MONO design: “with the bright colors displayed on the
request for permission page, it can‟t help but draw attention.”
“This allows me to view when there may be a potential conflict
with my already established privacy settings.” Perceived Information Control Ability
One participant even hoped to have every detail of his privacy The majority of the participants believed that the new designs
setting to be reflected in the authentication dialog. In addition, one could help them to better control the app’s information accessing
and publishing practices. They thought the new design elements
would place control in the hands of users. Only one participant - Facebook's powerful APIs could enable third-party apps to
doubted whether the new interface offered a sufficient degree of override users' privacy preferences expressed through their
control. Nevertheless, the respondent affirmed the added privacy settings.
convenience and potential to raise awareness. To address these problems, we propose two new interfaces of the
Perceived Effectiveness in Alerting Privacy Violations third-party app’s authentication dialogs to: i) empower users to
Participants regarded the new POLY design as superior in terms control and limit apps' information access and to restrict apps'
of alerting potential privacy violations, due to its use of the three- publishing ability during the process of adding the apps to the user
color scheme reflecting the user’s privacy setting and alerting profile, ii) alert users when their global privacy settings on
users about potential privacy violations: Facebook are violated by the apps, and iii) help users better
understand what kinds of their personal information will be
accessed and used by the app.
“[T]he POLY design is colorful, it would make users more aware A preliminary user study with eleven participants was conducted
of the [privacy] settings.” to evaluate the authentication dialogs we proposed. Based on the
“[T]he POLY design integrates a color scheme that provides even analysis of participants’ responses, we have gained insightful
more awareness of when apps are conflicting with personal lessons on the design of third-party apps’ authentication dialogs
privacy settings.” on Facebook. First, a well-designed authentication dialog should
stand out to be noticed. Users will be aware of the conflicts
between their privacy settings and third-party apps’ information
As the POLY design could indicate how private the information accessing and publishing practices only if they pay attention to the
was considered by the user when the app asked access permission design cues spontaneously. Second, a well-designed
to it, it was much easier for conflicts to stand out in the POLY authentication dialog should do a better job in both warning users
design than it was in the MONO design. Both the exclamation of the potential privacy conflict and providing users with options
mark and the red color, as the universal signals for danger and or suggestions to avoid such conflict. Third, the authentication
problem, can help users be aware of the item when a conflict dialog should be easy for users to understand and be consistent
materializes. Contrarily, the design in the current authentication [12].
dialog has no alert information when a user’s privacy settings
Finally, although all participants wanted the authentication dialog
conflict with an app’s information accessing or publishing
designed to reflect their global privacy settings on Facebook, the
practices.
use of a color scheme was not always the favored solution. Some
In addition, participants also mentioned that both the MONO and participants argued that the use of the three-color scheme was eye-
POLY designs would be useful as long as the users would take the catching; and thus they regarded it as an advantage. On the
time to learn the new interface and pay attention to the signals. contrary, other participants regarded it as a disadvantage because
One participant commented that without educating and teaching they considered it as a distraction. Based on these results, it seems
users about what was happening to their personal information, fair to conclude that the three-color scheme implemented in
none of the new design would work. POLY design is not a perfect way to reflect users’ privacy
Overall likability settings. In our future work, we aim to further improve our
solution to achieve a superior notice and consent experience.
Six out of eleven participants liked the POLY design better due to
the implementation of the color scheme that reflected users’ In summary, this research seeks to add to the research literature by
privacy settings. As suggested by these participants, the POLY providing a greater understanding of privacy issues regarding
design was more eye-catching because the three-color scheme third-party apps on Facebook. The development of design
could better inform users about the potential privacy violations. principles as well as the preliminary evaluation of our proposed
When something was highlighted in red, the user would relate it new designs could potentially alleviate users’ privacy concerns
either as a bad thing or as a stop sign. This would make users without sacrificing their social and entertainment needs pertaining
think twice or at least try to read and understand how much to third-party apps. Moreover, our work offers practitioners (such
information they may allow third-party apps to access. as application developers and social networking service providers)
wake-up calls and suggestions for further improvements. In future
On the contrary, four participants believed that the MONO design
work, we will implement our new designs as working interfaces
was more aesthetically pleasing and easier to understand. They
and embed them during controlled experiments into the Facebook
considered the three-color scheme of the POLY design “will
environment [5]. We are particularly interested in large-scale
distract users” and “it would be overwhelming for users to view”.
studies to study to what extent users understand and share when
interacting with third-party apps on Online Social Networks.
7. DISCUSSION AND CONCLUSION
This research identifies a number of challenges at the interface
between the representation of material terms to users and the 8. ACKNOWLEDGMENTS
underlying data collection and transmission practices by apps: The authors gratefully acknowledge the financial support of the
- During the process of adding an app to their profiles, users do National Science Foundation under grant CNS-0953749. Any
not have any control to limit the app’s access to their personal opinions, findings and conclusions or recommendations expressed
information or restrict the app’s publishing practices. Only after in this material are those of the authors and do not necessarily
adding the app, users can edit some categories of information reflect the views of the National Science Foundation.
access or publishing practices via adjusting their “Apps and
Websites Settings” under their privacy settings.
 [12] Good, N., J. Grossklags, D. Mulligan, and J. Konstan.
Noticing notice: A large-scale experiment on the timing
9. REFERENCES of software license agreements, Proceedings of the
[1] Facebook Statistics. 2010; Available from: ACM Conference on Human Factors in Computing
http://www.facebook.com/press/info.php?statistics. Systems (CHI'07), San Jose, CA, April /May 2007,
[2] Administration, U.S.F.a.D. Guide to nutrition labeling p. 607-616.
and education act requirements. 1994; Available from: [13] Gross, R. and A. Acquisti. Information revelation and
http://www.fda.gov/ora/inspect_ref/igs/nleatxt.html. privacy in online social networks, Proceedings of the
[3] Belser, B., Designing the food label: nutrition facts. ACM Workshop on Privacy in the Electronic Society
AIGA Journal, 1994. (WPES). Alexandria, VA, November 2005, p. 71-80.
[4] Besmer, A. and H. Lipford. Users' (mis)conceptions of [14] Hammer-Lahav, E., D. Recordon, and D. Hardt (2011)
social applications, Proceedings of Graphics Interface The OAuth 2.0 authorization protocol draft-ietf-oauth-
(GI'10), Ottawa, Canada, May/June 2010, p. 63-70. v2-12.
[5] Böhme, R. and S. Köpsell. Trained to accept?: A field [15] Hull, G., H. Lipford, and C. Latulipe, Contextual gaps:
experiment on consent dialogs, Proceedings of the ACM Privacy issues on Facebook. Ethics and Information
Conference on Human Factors in Computing Systems Technology, 2010.
(CHI'10), Atlanta, GA, April 2010, p. 2403-2406. [16] Kelley, P., J. Bresee, L. Cranor, and R. Reeder. A
[6] boyd, d. and N. Ellison, Social network sites: nutrition label for privacy, Proceedings of the 5th
Definition, history, and scholarship. Journal of Symposium on Usable Privacy and Security (SOUPS),
Computer Mediated Communication, 2008. 13(1): Mountain View, CA, July 2009.
p. 210-230. [17] King, J., A. Lampinen, and A. Smolen. Privacy: Is there
[7] Brandimarte, L., A. Acquisti, and G. Loewenstein. an app for that?, Proceedings of the 7th Symposium On
Misplaced confidences: Privacy and the control Usable Privacy and Security (SOUPS), Pittsburgh, PA,
paradox, Workshop on the Economics of Information July 2011.
Security (WEIS), Boston, MA, June 2010. [18] Lipford, H., A. Besmer, and J. Watson. Understanding
[8] Buckley, P. and R. Shepherd, Ergonomic factors: The privacy settings in Facebook with an audience view,
clarity of food labels. British Food Journal, 1993. 95(8): Proceedings of the USENIX Workshop on Usability,
p. 18-21. Psychology and Security, San Francisco, CA, April
[9] Carroll, J.M., HCI models, theories, and frameworks: 2008, p. 1-8.
Toward a multidisciplinary science. 2003: Morgan [19] Shehab, M., S. Marouf, and C. Hudel. ROAuth:
Kaufmann Pub. Recommendation based open authorization,
[10] Debatin, B., J. Lovejoy, A. Horn, and B. Hughes, Proceedings of the 7th Symposium On Usable Privacy
Facebook and online privacy: Attitudes, behaviors, and and Security (SOUPS), Pittsburgh, PA, July 2011.
unintended consequences. Journal of Computer [20] Steel, E. and G. Fowler, Facebook in privacy breach.
Mediated Communication, 2009. 15(1): p. 83-108. The Wall Street Journal, October 2010.
[11] Golan, E., F. Kuchler, L. Mitchell, C. Greene, and A.
Jessup, Economics of food labeling. Journal of
Consumer Policy, 2001. 24(2): p. 117-184.

View publication stats