Toward the Cure of Privacy Policy Reading Phobia: Automated Generation of Privacy Nutrition Labels From Privacy Policies

TL;DR

This paper introduces an automated framework to generate privacy nutrition labels from privacy policies, helping users better understand data practices and addressing privacy policy reading phobia.

Contribution

It presents the first automated method for creating privacy nutrition labels from policies, achieving high F1-scores and detecting under-claim issues effectively.

Findings

Achieved 0.75 F1-score on data collection practices

Achieved 0.93 F1-score on security practices

Detected 90.1% of under-claim issues

Abstract

Software applications have become an omnipresent part of modern society. The consequent privacy policies of these applications play a significant role in informing customers how their personal information is collected, stored, and used. However, customers rarely read and often fail to understand privacy policies because of the ``Privacy Policy Reading Phobia'' (PPRP). To tackle this emerging challenge, we propose the first framework that can automatically generate privacy nutrition labels from privacy policies. Based on our ground truth applications about the Data Safety Report from the Google Play app store, our framework achieves a 0.75 F1-score on generating first-party data collection practices and an average of 0.93 F1-score on general security practices. We also analyse the inconsistencies between ground truth and curated privacy nutrition labels on the market, and our framework can detect 90.1% under-claim issues. Our framework demonstrates decent generalizability across different privacy nutrition label formats, such as Google's Data Safety Report and Apple's App Privacy Details.