Privacy Control: Interfaces for Managing Privacy

At the core of privacy problems investigated in this thesis, lies privacy regulation. The term privacy regulation is borrowed from Altman (Altman 1975) and describes a continual process of regulating boundaries between the data owner and the environment. Privacy regulation in that context can be regarded as “a selective control of access to the self or to one’s group” (Altman 1975). In the HCI literature this is often called privacy management, and is described as the process in which the user instructs the system how his personal information should be disclosed or disseminated. Bellotti and Sellen also use term control to refer to privacy management; they

Chapter 2: Research Context and Related Work

36

define control as “empowering people to stipulate what information they project and who can

get hold of it” (Bellotti and Sellen 1993).

While privacy regulation and privacy management are just different names to describe the process of managing the dissemination of personal information, we use the term privacy control to describe a group of tools (e.g. user interfaces) by which users instruct the system how their information should be disseminated. Recall that in section 2.1.3 we said that privacy management involves tools for expressing how our information should be communicated to others (privacy controls) and the means for absorbing information from the environment (support for awareness). The latter are described in the next section.

According to Altman’s theory (see section 2.1.1) at the heart of privacy regulation is an environment that provides tools and mechanisms for managing privacy. Computer systems are part of the environment and provide tools (user interfaces) for controlling the dissemination of personal information. In this section we present several design approaches towards usable privacy management interfaces informed by theoretical frameworks (Lederer et al. 2004), previous privacy studies in ubicomp (Adams 2000; Consolvo et al. 2005) and an underlying privacy policy (Cranor et al. 2002).

We survey the existing work on user interfaces for managing privacy using Hong’s and Iachello’s classification for privacy management models which distinguished three groups of interfaces pessimistic, optimistic and interactive (Iachello and Hong 2007).

In the pessimistic model the user is required to define his privacy preferences prior to using the system to prevent privacy violations. This model guarantees a high level of anonymity but limits social interaction. This model can be found in systems with strong focus on information security, e.g. SPARCLE (Brodie et al. 2006) or Expandable Grids (Reeder, Bauer, et al. 2008) .

Lederer and Hong (Lederer et al. 2004) proposed the faces interface for managing the disclosure of personal information in ubiquitous computing, informed by Goffman’s identity management

37

theory (Goffman 1978). In their approach the user could set up faces, which encapsulated different privacy preferences that could be easily adapted according to the context (Lederer et al. 2004). This solution is similar to Brar’s Secure Persona Exchange, in which user can reveal different persona in reaction to the service request (Brar and Kay 2004). Another interface for managing complex privacy rules was proposed by Hong et al. (Hong, Yuan, and Shen 2005) who designed the User Preference Manager interface based on a pessimistic approach with the underlying P3P privacy policy engine (see section 2.4.1. for more details).

In the optimistic approach, the system helps the user trace potential misuses and supports the user in reacting to potential violations by specifying additional access rules. Optimistic interaction borrows from social translucence (Erickson and Kellogg 2000) and is based on reciprocal interaction, in which stakeholders are aware of each other actions. Examples using this approach include work that of (J. Y. Tsai et al. 2009; Raento and Oulasvirta 2005; Mancini et al. 2011; Jedrzejczyk et al. 2010a; Nguyen and Mynatt 2001).

The objective of the interactive model is to provide information that helps the user make informed decisions about sharing information. Another important aspect of this privacy management model is that the user communicates privacy preferences in reaction to the information request. While this model supports continuous privacy management and understanding of the information flow, data owners are interrupted each time someone requests their information. Due to the human tendency to automatic behaviour, user confirmation is often executed subconsciously and is not really trustworthy (Raskin 2000).

Evidence from the literature also shows that too many consent clicks (Iachello and Hong 2007) leads people to ignoring consent requests without reading them (Pettersson et al. 2005). Solutions using this approach were adapted by (Iachello et al. 2005) in the Reno system; (Patrick and Kenny 2003), they used Just-In-Time Click-Through Agreement (JITCTA). Other examples of interactive privacy interfaces include Hong’s access notification interface (Hong

Chapter 2: Research Context and Related Work

38

2005, Figure 5-9) and the privacy warning and security alert interface presented in (Jedrzejczyk et al. 2010b).

Several hybrid approaches to privacy management have been proposed, in which pessimistic, optimistic and interactive models were implemented into one system. For example, additional options for privacy management can be found in Lederer and Hong’s (2004) work that extends the pessimistic approach used in the faces interface. Here, the access notification interface supports continuous privacy management by providing timely information about location requests, which supports users’ awareness and understanding the extent to which the personal information is disclosed in the system. A place bar widget allows the user to control the disclosure and granularity of location with a web page as part of the browsing activity (Hong et al. 2003; Hong 2005, Figure 5-11). The Nexus Personal Information Manager provides a disclosure log with a simple option to manage the disclosure of location information between (1) the data owner and services; and (2) between the data owner and other users (Hong 2005, Figure 5-10). A combination of these interfaces creates a new hybrid approach, in which pessimistic, optimistic and interactive approaches are mixed together.

Tsai et al. combined the pessimistic and optimistic approach in their Locyoution system where users could create privacy rules using a web-based system, and refine rules by analysing the disclosure log (J. Y. Tsai et al. 2009). A similar approach was used in the Friend Finder application described in (Sadeh et al. 2009), further advanced by (Toch et al. 2010) in the Locaccino system for location sharing.