Are Your Requests Your True Needs? Checking Excessive Data Collection in VPA Apps

Xie, F; Yan, C; Meng, MH; Teng, S; Zhang, Y; Bai, G

Are Your Requests Your True Needs? Checking Excessive Data Collection in VPA Apps

Xie, F Yan, C Meng, MH Teng, S Zhang, Y

Bai, G

Permalink

Publisher:: Association for Computing Machinery (ACM)
Publication Type:: Conference Proceeding
Citation:: Proceedings - International Conference on Software Engineering, 2024, 00, pp. 2530-2541
Issue Date:: 2024-01-01

Closed Access

	Filename	Description	Size
	Are_Your_Requests_Your_True_Needs_Checking_Excessive_Data_Collection_in_VPA_Apps.pdf	Published version	895.89 kB	Adobe PDF	View/Open

Copyright Clearance Process

Recently Added
In Progress
Closed Access

This item is closed access and not available.

Full metadata record

Field	Value	Language
dc.contributor.author	Xie, F
dc.contributor.author	Yan, C
dc.contributor.author	Meng, MH
dc.contributor.author	Teng, S
dc.contributor.author	Zhang, Y https://orcid.org/0000-0001-5611-3483
dc.contributor.author	Bai, G
dc.date.accessioned	2025-03-03T01:09:20Z
dc.date.available	2025-03-03T01:09:20Z
dc.date.issued	2024-01-01
dc.identifier.citation	Proceedings - International Conference on Software Engineering, 2024, 00, pp. 2530-2541
dc.identifier.issn	0270-5257
dc.identifier.uri	http://hdl.handle.net/10453/185486
dc.description.abstract	Virtual personal assistants (VPA) services encompass a large number of third-party applications (or apps) to enrich their function-alities. These apps have been well examined to scrutinize their data collection behaviors against their declared privacy policies. Nonetheless, it is often overlooked that most users tend to ignore privacy policies at the installation time. Dishonest developers thus can exploit this situation by embedding excessive declarations to cover their data collection behaviors during compliance auditing. In this work, we present Pico, a privacy inconsistency detector, which checks the VPA app's privacy compliance by analyzing (in)consistency between data requested and data essential for its functionality. Pico understands the app's functionality topics from its publicly available textual data, and leverages advanced GPT-based language models to address domain-specific challenges. Based on the counterparts with similar functionality, suspicious data collection can be detected through the lens of anomaly detection. We apply Pico to understand the status quo of data-functionality com-pliance among all 65,195 skills in the Alexa app store. Our study reveals that 21.7% of the analyzed skills exhibit suspicious data collection, including Top 10 popular Alexa skills that pose threats to 54,116 users. These findings should raise an alert to both developers and users, in the compliance with the purpose limitation principle in data regulations.
dc.language	en
dc.publisher	Association for Computing Machinery (ACM)
dc.relation.ispartof	Proceedings - International Conference on Software Engineering
dc.relation.ispartof	Proceedings of the IEEE/ACM 46th International Conference on Software Engineering
dc.relation.isbasedon	10.1145/3597503.3639107
dc.rights	info:eu-repo/semantics/closedAccess
dc.title	Are Your Requests Your True Needs? Checking Excessive Data Collection in VPA Apps
dc.type	Conference Proceeding
utslib.citation.volume	00
pubs.organisational-group	University of Technology Sydney
pubs.organisational-group	University of Technology Sydney/Faculty of Engineering and Information Technology
pubs.organisational-group	University of Technology Sydney/Faculty of Engineering and Information Technology/School of Computer Science
utslib.copyright.status	closed_access	*
dc.date.updated	2025-03-03T01:09:18Z
pubs.publication-status	Published
pubs.volume	00

Abstract:

Virtual personal assistants (VPA) services encompass a large number of third-party applications (or apps) to enrich their function-alities. These apps have been well examined to scrutinize their data collection behaviors against their declared privacy policies. Nonetheless, it is often overlooked that most users tend to ignore privacy policies at the installation time. Dishonest developers thus can exploit this situation by embedding excessive declarations to cover their data collection behaviors during compliance auditing. In this work, we present Pico, a privacy inconsistency detector, which checks the VPA app's privacy compliance by analyzing (in)consistency between data requested and data essential for its functionality. Pico understands the app's functionality topics from its publicly available textual data, and leverages advanced GPT-based language models to address domain-specific challenges. Based on the counterparts with similar functionality, suspicious data collection can be detected through the lens of anomaly detection. We apply Pico to understand the status quo of data-functionality com-pliance among all 65,195 skills in the Alexa app store. Our study reveals that 21.7% of the analyzed skills exhibit suspicious data collection, including Top 10 popular Alexa skills that pose threats to 54,116 users. These findings should raise an alert to both developers and users, in the compliance with the purpose limitation principle in data regulations.

Please use this identifier to cite or link to this item:

http://hdl.handle.net/10453/185486