What if computers understood privacy policies? And, what if they knew what we care about?

February 20, 2017

12:00 p.m. - 1:00 p.m. ET

CIC Building, DEC

Norman Sadeh
CyLab, School of Computer Science
Carnegie Mellon University


In today’s data-centric economy issues of privacy are becoming increasingly complex to manage. This is true for users who are often feeling helpless when it comes to understanding and managing the many different ways in which their data can be collected and used. But it is also true for developers, service providers, app store operators and regulators.  A significant source of frustration has been the lack of progress in formalizing the disclosure of data collection and use practices. These disclosures today continue to primarily take the form of long privacy policies, which very few people actually read.

What if computers could actually understand the text of privacy policies? In this talk, I will report on our progress developing techniques to do just that and will discuss the development  and piloting of tools that build on these technologies. This includes an overview of a compliance tool for mobile apps. The tool automatically analyzes the code of apps and compares its findings with disclosures made in the text of privacy policies to identify potential compliance violations. I will report on a study of about 18,000 Android apps. Results of the study suggest that compliance issues are widespread.

In the second part of this talk, I will discuss how using machine learning we can also build models of people’s privacy preferences and help them manage their privacy settings. This will include an overview of our work on Personalized Privacy Assistants. These assistants are intended to selectively notify their users about data collection and use practices they may find egregious and are also capable of helping their users configure available privacy settings. We will review results of a pilot involving one such assistant developed to help users manage their mobile app permissions. I will conclude with a discussion of ongoing work to extend this functionality in the context of Internet of Things scenarios.

The work presented in this talk is conducted with a number of collaborators -  faculty, post-docs and students, as part the Usable Privacy Policy project and the Personalized Privacy Assistant project. Our work is supported by grants from the National Science Foundation (SaTC and SBE programs), the DARPA Brandeis initiative and the Google IoT expedition.


Norman M. Sadeh is a Professor in the School of Computer Science at Carnegie Mellon University (CMU) and a faculty at CyLab. He is director of CMU’s Mobile Commerce Laboratory and co-Director of the MSIT Program in Privacy Engineering. He also co-founded the School of Computer Science ’s PhD Program in Societal Computing (formerly “Computation, Organizations and Society”) . His primary research interests are in the area of mobile  computing, the Internet of Things, cybersecurity, online privacy, user-oriented machine learning, human computer interaction and artificial intelligence. His research has been credited with influencing the design and development of a number of commercial products well as activities at the US Federal Trade Commission the California Office of the Attorney General. Between 2008 and 2011, Norman served as founding CEO of Wombat Security Technologies, a leading provider of SaaS cybersecurity training products and anti-phishing solutions originally developed as part of research with several of his colleagues at CMU. As chairman of the board and chief scientist, Norman remains actively involved in the company, working closely with the management team on both business and technology strategies. 
Among other activities, Norman currently leads two of the largest domestic research projects in privacy, an NSF SaTC Frontier project on Usable Privacy Policies and a project on the Personalized Privacy Assistant funded by the DARPA Brandeis initiative, the National Science Foundation and Google’s IoT Expedition.
In the late nineties, Norman was program manager with the European Commission’s ESPRIT research program, prior to serving for two years as Chief Scientist of its US$600M (EUR 550M) initiative in “New Methods of Work and eCommerce” within the Information Society Technologies (IST) program. As such, he was responsible for shaping European research priorities in collaboration with industry and universities across Europe. These activities eventually resulted in the launch of over 200 R&D projects involving over 1,000 European organizations from industry and research. While at the Commission, Norman also contributed to a number of EU policy initiatives related to eCommerce, the Internet, cybersecurity, privacy and entrepreneurship.

Upcoming Events