While data has driven many technological advancements, the ubiquitous collection and sharing of data have caused a privacy trust crisis in our society. Developers play a crucial role in creating apps that respect user expectations and data usage norms, as they have a deep understanding of app behavior and can adjust the design accordingly. However, developers are not privacy experts. Developing a privacy-friendly app is often a challenging task due to their lack of 1) awareness of privacy issues, 2) knowledge of privacy best practices, and 3) time for handling privacy requirements. These problems have become more and more salient with the advent of a flurry of privacy requirements from platform providers (e.g., Google Play and Apple App Store) and laws (e.g., GDPR, CCPA), creating urgent needs for effective, opportune, and usable privacy support for developers.

Hence, I propose Privacy Support for Developers as a new area of interest at the intersection of privacy, HCI, and software engineering research. The first challenge is that although there has been some research on developers' challenges for handling privacy requirements, they tend to be more descriptive than prescriptive. Therefore, our community still lacks a clear direction of how to solve the problems. To fill in this gap, I first synthesize developers' needs for designing privacy-enhancing developer support based on my work and past literature to provide a roadmap for future explorations into this problem.

Informed by the identified needs, I present my work that pioneers a novel type of developer tooling: Privacy-Enhancing Integrated Development Environment (IDE) Plugins. I propose privacy annotation, a type of structured metadata that embeds privacy information such as data use purposes directly in code. Based on this concept, I designed, implemented, and evaluated three plugins for Android Studio, the official IDE for Android development, to increase developers' awareness and knowledge of privacy best practices and to reduce the work required for complying with privacy requirements. With one set of annotations, my tools offer privacy support in multiple aspects, including 1) detection of sensitive API calls and third-party SDKs to support accurate understanding, documentation, and disclosure of data practices, 2) just-in-time reminders and lightweight code repair features (quick-fixes) to help developers conform to best practices, and 3) annotation-based declarative programming to generate in-app privacy notices and privacy nutrition labels required by app stores. My studies demonstrated that my tools effectively improved developers' awareness and adoption of privacy best practices, reduced the workload for completing privacy compliance tasks, and enhanced the accuracy of the generated privacy notices.

237 pages

Thesis Committee:
Jason I. Hong (Chair)
Lorrie Faith Cranor
Brad Myers
Yuvraj Agarwal
Tadayoshi Kohno (University of Washington)

Jessica Hammer, Interim Department Head, Human-Computer Interaction Institute
Martial Hebert, Dean, School of Computer Science

Return to: SCS Technical Report Collection
School of Computer Science homepage

This page maintained by reports@cs.cmu.edu