With the growing global emphasis on regulating the protection of personal information and increasing user expectation of the same, developing with privacy in mind is becoming ever more important. In this paper, we study the concerns, questions, and solutions developers discuss on Reddit forums to enhance our understanding of their perceptions and challenges while developing applications in the current privacy-focused world. We perform various forms of Natural Language Processing (NLP) on 437,317 threads from subreddits such as r/webdev, r/androiddev, and r/iOSProgramming to identify both common points of discussion and how these points change over time as new regulations are passed around the globe. Our results show that there are common trends in privacy topics among the diferent subreddits while the frequency of those topics difers between web and mobile applications.
As the world is continuously advancing in ever-growing connected ways, software developers
and requirements analysts are required to implement privacy-preserving solutions to protect
users’ privacy in their applications. On the other hand, users are becoming more conscious
about how their information is collected and used by various organizations. These parallel
growths resulted in the creation of several privacy-focused regulations, such as the General
Data Protection Regulation (GDPR) [
To ensure compliance with these regulations, systematic privacy by design approaches and
tools need to become the norm. Without proper privacy education, tools, and guidelines,
developers look into forums such as Stack Overflow [
In addition to surveys [
In this paper, we will extend Li et al. [
In recent years, several works focused on evaluating and understanding the privacy challenges
of developers and their approach to implementing privacy requirements. Some studies evaluate
developers’ privacy behaviors through questionnaires or surveys [
Proferes et al. [
Analysis of 4,957 Reddit comments in 180 security- and privacy-related discussions from
/r/homeautomation show that users’ concerns are context-dependent and their attitude towards
privacy and security can change during the diferent phases of adoption of smart home devices
[17]. Li et al. [
In this paper, we extend the current approaches [
In this section, we describe our methodology for collecting and creating the Reddit dataset (i.e., Section 3.1) and then explain the process of analyzing the data (i.e., Section 3.2).
To gather data, we utilize Pushshift Multithread API Wrapper [ 23, 24] which allows for granular
information and provides the ability to multithread, in compare to other work [
The current related work provides insights regarding what and how of extracting the
information. Li et al. [
After collecting the data, we need to identify privacy-related submissions. A common way
to do this is by filtering posts and discussions that contain the term “privacy” [
To answer RQ1, we conducted simple phrase frequency analysis and then identified the topics of each submission by leveraging Latent Dirichlet Allocation (LDA) [30] similar to other work [29]. We first narrowed down our dataset to privacy questions via an Adaptive Boosting (AdaBoost) model to classify posts in our dataset as questions. The AdaBoost classifier contained 25 decision stumps and was trained on a combination of subsets of SQuAD and SPAADIA datasets which include phrases and sentences labeled as either statements or questions [31, 32, 33]. We transformed the training data into matrices of token counts and validated the classifier against 200 randomly sampled posts. We manually classified posts from AndroidDev containing 93 (46.5%) questions and 107 (53.5%) statements. The classification was performed by a single team member and verified by another; the agreed-upon method was to read both the title and body, and if either had a question from the redditer to the community, then it was classified as a question; framing and rhetorical questions were not considered questions. Against the validation set, our classification achieved 71% accuracy. Through LDA analysis, we generated ten topics of four words each for posts Pre/Post GDPR and Pre/Post CCPA.
To address RQ2, we use qualitative metrics to evaluate both the discussions and posts [
We answer RQ3 by applying the same term frequency analysis and LDA topic analysis used for RQ1 against datasets filtered to pre- and post-regulations and trending the RQ2 sentiment analysis to examine if there is any change due to the introduction of GDPR (April 2016) and CCPA (June 2018).2 2The data, models, and analysis are: https://github.com/mschrider/PEP_Privacy_Dev_Forum_Analysis/.
In the first step, we conducted a simple word counting analysis to identify how often privacyrelated words appear in the initial posts of r/androiddev, r/iOSProgramming, and r/webdev forums. We noticed that typical permission requests, such as “location”, “camera”, “gallery”, “microphone” and “voice” are the more prevalent words, though they still make up a small portion of the overall posts. Additionally, we observed that the most common word, location, appears nearly twice as often as the second common one, camera. With more detailed analysis, we noticed that while location and camera are privacy-related words, they are more often referred to for non-privacy reasons; such as the best methods for having an app interact with a camera. After this high-level evaluation, we delve into our research questions.
The initial phrase frequency analysis indicates that “location” and “camera” are the main privacyrelated terms referenced in the titles and bodies of posts. Meanwhile /r/webdev prioritizes “location” but replaces “camera” with “gallery” while “email address” and “username” are much higher up in the list (See Fig. 1 and Fig. 2). This data shows the inherent diference between the primary functions of web-based and mobile-based applications.
Based on the trends above, we narrowed down the questions to those containing “location” or “camera” for further analysis. We observe that most questions are not in fact privacy-related; though for location, one of the most upvoted questions is “GDPR - What all do I need to do?”. In general, we identified that the questions that were actually privacy-related were centered around asking for and granting permission to apps for capabilities that have impacts on privacy.
Our LDA analysis shows common topics among privacy questions. Fig. 3 and Fig. 4 include the top four webdev topics for pre- and post-GDPR/CCPA. We observed that ‘gdpr’ is one of the top trending topics from its expected non-existence pre-GDPR. Topics with variations of the word policy, consent, or cookie increased in frequency post-GDPR/CCPA but privacy-related topics appear more frequently post-CCPA. There is an overlap in post-CCPA with post-GDPR data; thus, it may be hard to distinguish the efects of each regulation in isolation.
Overall, all subreddits show similar sentiment profiles, with titles generally tending toward neutral and the main bodies of text tending toward positive. The results in Fig. 5 show the trends over time, with markers for where GDPR and CCPA were introduced. While all subreddits show undulations, there is no concrete evidence of trends in sentiment shifting one way or another.
Topics and terms show a significant change due to GDPR but to a lesser extent CCPA. As shown in Fig. 3 and Fig. 4, the overall distribution of topics/terms changed noticeably after both regulations were enacted. However, despite the changing topics, we did not observe conclusive evidence of a change in sentiment post-GDPR/CCPA. All three subreddits showed very steady sentiment, with roughly similar noise values, across the entire timeline represented in the data.
Similarities between /r/iOSProgramming and /r/androiddev are expected since both deal with mobile development. Mobile privacy concerns such as camera, microphone, and location permissions dominate the discussions while on /r/webdev, main focus is on cookies and websites.
Understanding the trends and commonalities regarding developers’ privacy concerns is important to platform owners (e.g., Apple, Google, etc.), regulators, and requirements analysts. Platform owners should provide support to mitigate and resolve developers’ privacy questions. Regulations drive developers’ concerns; therefore, regulators should study the impact of their regulations on developer behaviors. With this information, requirements analysts could focus on developing approaches to elicit and model privacy requirements from regulations and automate the compliance process.
This study was done solely on Reddit, which may introduce an inherent selection bias; for
example, due to focusing on issues brought up by developers active in their online communities.
While we extended previous research [
There are limitations to our NLP analysis. The AdaBoost question classifier does not consider relations between tokens, parts of speech utilized in Reddit posts, or other potential features which leads to improper classification of rhetorical questions. For example, a post with: “Heard about a cool job posting? Let people know!” was misclassified. The sentiment analysis is also generic since the corpus used to generate the polarity scores, nltk.sentiment.vader, is specifically designed to be used with social media posts. While Reddit is a social media platform, a more directed corpus around software development most likely provides more accurate results. In the future, we will explore approaches proposed in [22, 35] to conduct a more detailed sentiment analysis. Lastly, our data collection for privacy-related questions is based on keywords search which may result in missing a large number of privacy content. We propose to use Natural Language Inference (NLI) approaches to extract a larger pool of data, similar to [36].
In this paper, we looked into the developers’ concerns and questions on Reddit forums to gain a better understanding of their attitudes toward privacy and the challenges they face when developing applications. We examined 437,317 threads from the subreddits r/webdev, r/androiddev, and r/iOSProgramming to determine the most frequently discussed topics as well as how the sentiments around these topics have evolved in response to GDPR and CCPA. Through a combination of word frequency, topic clustering, and question classifying, we observed that a large number of questions are related to requesting permissions from users, such as camera and location, or complying with the various regulations, particularly the GDPR. Additionally, we explored the emotions around dealing with privacy and found that there is a general neutral-to-positive sentiment around it across all types of development reviewed.
In the future, we plan to extend our efort to other developers’ forums and improve our classification task. We will also leverage NLI to extract more privacy-related concepts. [12] A. Ekambaranathan, J. Zhao, M. Van Kleek, “money makes the world go around”: Identifying barriers to better privacy in children’s apps from developers’ perspectives, in: Proc. of the 2021 CHI Conf. on Human Factors in Computing Systems, 2021, pp. 1–15. [13] S. Spiekermann, J. Korunovska, M. Langheinrich, Inside the organization: Why privacy and security engineering is a challenge for engineers, Proc. of the IEEE 107 (2018) 600–615. [14] N. Alomar, S. Egelman, J. L. Fischer, Developers say the darnedest things: Privacy compliance processes followed by developers of child-directed apps, Proc. on PETS (2022). [15] D. Greene, K. Shilton, Platform privacies: Governance, collaboration, and the diferent meanings of “privacy” in ios and android development, New Media & Society (2018). [16] T. Iqbal, M. Khan, K. Taveter, N. Seyf, Mining reddit as a new source for software requirements, in: IEEE 29th Int. Requirements Engineering Conf., 2021, pp. 128–138. [17] J. Li, K. Sun, B. Huf, A. Bierley, Y. Kim, F. Schaub, K. Fawaz, “it’s up to the consumer to be smart”: Understanding the security and privacy attitudes of smart home users on reddit, in: IEEE Symp. on Security and Privacy (SP) (SP), 2023, pp. 380–396. [18] M. Tahaei, J. Bernd, A. Rashid, Privacy, permissions, and the health app ecosystem: A stack overflow exploration, in: The European Symp. on Usable Security, 2022, p. 117–130. [19] J.-H. Hoepman, Privacy design strategies (the little blue book) (2018). [20] B. Neo, Sentiment analysis on reddit tech news with python (2021). URL: https://tinyurl.
com/yck5u7ke. [21] D. Pletea, B. Vasilescu, A. Serebrenik, Security and emotion: Sentiment analysis of security discussions on github, in: The 11th Working Conf. on MSR, ACM, 2014, p. 348–351. [22] M. Herrmann, M. Obaidi, L. Chazette, J. Klünder, On the subjectivity of emotions in software projects: How reliable are pre-labeled data sets for sentiment analysis?, Journal of Systems and Software 193 (2022). [23] J. Baumgartner, S. Zannettou, B. Keegan, M. Squire, J. Blackburn, The pushshift reddit dataset (2020). URL: https://arxiv.org/abs/2001.08435. doi:1 0 . 4 8 5 5 0 / A R X I V . 2 0 0 1 . 0 8 4 3 5 . [24] M. Podolak, Pmaw: Pushshift multithread api wrapper, 2022. URL: https://pypi.org/project/ pmaw/. [25] A. Amaya, R. Bach, F. Keusch, F. Kreuter, New data sources in social science research:
Things to know before working with reddit data, Social science computer review (2021). [26] Reddit, Developing android apps, 2022. URL: https://www.reddit.com/r/androiddev/. [27] Reddit, ios programming, 2022. URL: https://www.reddit.com/r/iOSProgramming/. [28] Reddit, webdev: reddit for web developers, 2022. URL: https://www.reddit.com/r/webdev/. [29] G. L. Scoccia, P. Migliarini, M. Autili, Challenges in developing desktop web apps: a study of stack overflow and github, in: IEEE/ACM 18th Int. Conf. on MSR, 2021, pp. 271–282. [30] D. M. Blei, A. Y. Ng, M. I. Jordan, Latent dirichlet allocation, JMLR 3 (2003) 993–1022. [31] M. Weisser, Corpus data, 2020. URL: https://martinweisser.org/. [32] P. Rajpurkar, R. Jia, P. Liang, Know what you don’t know: Unanswerable questions for squad, CoRR (2018). URL: http://arxiv.org/abs/1806.03822. a r X i v : 1 8 0 6 . 0 3 8 2 2 . [33] S. Khan, Questions vs statements classification, 2021. URL: https://www.kaggle.com/ datasets/shahrukhkhan/questions-vs-statementsclassificationdataset. [34] N. Xue, Steven bird, evan klein and edward loper. natural language processing with python.
o’reilly media, inc.2009., Natural Language Engineering 17 (2011) 419–424. [35] N. Novielli, F. Calefato, D. Dongiovanni, D. Girardi, F. Lanubile, Can we use se-specific sentiment analysis tools in a cross-platform setting?, in: Proceedings of the 17th Int. Conf. on MSR, MSR ’20, 2020, p. 158–168. [36] H. Harkous, S. Peddinti, R. Khandelwal, A. Srivastava, N. Taft, Hark: A deep learning system for navigating privacy feedback at scale, in: IEEE Symp. on Sec. & Privacy, 2022.