Section 25.3. Supporting Privacy Management Activities with Social Processes | Security and Usability: Designing Secure Systems That People Can Use

25.3. Supporting Privacy Management Activities with Social Processes

End-user privacy management is rarely a simple task. Instead, there are often multiple and ongoing activities that users must perform in order to manage their privacy. The most common activities for end users performing privacy management are the following; these activities frequently proceed in the order in which they are listed.

Awareness and motivation. An end user must achieve some level of awarenessor the system must provide awarenessof a potential privacy risk. Such awareness is necessary because it motivates the user to engage the risk.
Learning and education. The user must learn about the privacy risk and its accompanying management activity.
Decision making. Based on the user's awareness of and knowledge about the risk, he must make decisions about how to manage the risk.

In other domains, users maintain awareness, learn, and make decisions better when using social processes than they do individually.^[11]^, ^[12] It makes sense that users can also benefit from employing social processes to perform these activities in the context of privacy management . In the following sections, we discuss these activities in detail, how social processes can facilitate them, and how Acumen supports them.

^[11] Alan J. Fridland, Daniel Reisberg, and Henry Gleitman, Psychology (New York: W.W. Norton & Company, 2003).

^[12] Ilan Yaniv, "Receiving Other People's Advice: Influence and Benefit," Journal of Organizational Behavior and Human Decision Processes 93:1, 1-13.

25.3.1. Awareness and Motivation

Motivation is a critical aspect of end-user privacy management. If end users do not perceive a privacy risk, they will not use privacy management tools. Hence, a privacy management system frequently needs to raise awareness for the risk in order to motivate users to manage it.

Often, users must maintain ongoing awareness of a privacy risk. However, ongoing awareness can be overwhelming and distracting to users. Privacy management is rarely a primary activity for end users; rather, it is a secondary activity that is integrated into and performed alongside principal tasks.^[13] For example, the primary activity for Internet users is browsing the Internet; managing cookies is a secondary activity, if that.

^[13] Victoria Bellotti and Abigail Sellen, "Design for Privacy in Ubiquitous Computing Environments," Proceedings of 1993 European Conference on Computer-Supported Cooperative Work (1993), 7792.

Because privacy management is a secondary activity at best, awareness of privacy risks and requisite management should be limited so as not to distract the user. Ideally, a privacy management system should filter information and alert users only to potentially important or new concerns and threats.

Raising end users' awareness of a privacy riskand thereby raising users' motivation to manage the riskcan be accomplished via social means. Knowing that others recognize a risk and are managing it can serve to motivate a user to do the same; at the least, most users will take more notice of a risk if they observe that others are concerned about the risk. While there are users who will disregard the activities of others, most users will find others' activities to be useful information.

25.3.1.1 Awareness and motivation in Acumen

Acumen offers minimal and context-driven awareness. Acumen's toolbar is integrated into the web browser and displays information about only the web sites that are using cookies on the current web page. Thus, the toolbar provides relevant but limited information that a user can easily glance at and understand.

Acumen's icons make it clear that others are managing their cookies and also serve to alert users to potentially problematic cookies. Recall that there are two colored icons next to each site using cookies on the page: an arrowhead or X that indicates whether cookies are allowed/blocked, and the circle icon that denotes the site's user management data.

Just a quick glance by a user often provides valuable information about the cookies on the page. Problematic cookies stand out immediately because their site's user data icon is colored yellow or red, indicating that others have blocked the site's cookies. In addition, a user can glance at the two icons next to a web site name and determine whether her decision to allow/block the site's cookies matches others' decisions. A user's decision matches that of others if the icons are the same color; if not, the icons have different colors (see Figure 25-2). It is worthwhile to note that color perception and comparison are preattentive processes that are very fast and require little cognitive effort.^[14]

^[14] Chris G. Healey, K. S. Booth, and James T. Enns, "Harnessing Preattentive Processes for Multivariate Data Visualization," Proceedings of 1993 Graphics Interface (1993), 107117.

Recall that Acumen uses nonlinear, biased thresholds for the color categories:

Green indicates that 90% or more of all visitors allow a web site's cookies.
Yellow indicates that 75% to 90% of visitors block a site's cookies.
Red indicates that less than 75% of visitors allow a site's cookies.

Thus, a yellow or a red icon, both indicating caution, will appear next to some web sites even though a majority of users have not blocked the site's cookies.

We chose these thresholds to reflect the often sensitive and conservative nature of privacy management . Even if only a few users block a site's cookies, this information is reflected in an icon's color and is thus communicated to the user. Because few users ever change default settings, these biased thresholds accentuate any deviation in the community's data from Acumen's default of allowing cookies.

25.3.2. Learning and Education

Many users have only passing familiarity with privacy management. They are often unfamiliar with privacy risks, the terminology used in describing privacy issues, and the methods that they can use to manage their privacy. For example, many users have concerns about Internet privacy but do not link those concerns to the issue of cookies. Users often do not understand how a cookie acting as a "persistent identifier" can be used to intrude upon their privacy, nor do they understand the difference between "first-party" and "third-party" cookiesterminology that is common in the cookie management systems built into Internet Explorer and other web browsers.

Because end users have a limited understanding of privacy, one important role of a privacy management system is to educate. Two of the more effective forms of social learning are modeling^[15] and legitimate peripheral participation:^[16]

^[15] Albert Bandura, Social Learning Theory (Englewood Cliffs, NJ: Prentice Hall, 1977).

^[16] Jean Lave and Etienne Wenger, Situated Learning: Legitimate Peripheral Participation (Cambridge: Cambridge University Press, 1991).

Modeling. In modeling, a novice learns by observing other people perform a task and models his behavior after what he has observed. Modeling is a simple process, but it is difficult for the novice to learn why others chose the behaviors that they did; a novice must infer why another person behaved in a particular way, and such inferences may be incomplete or incorrect.
Legitimate peripheral participation (LPP). This is a more complex form of social learning. In LPP, a novice participates in a larger process that is administered by a group of experts. Initially, the novice has small, "peripheral" responsibilities in the process; however, as the novice becomes more experienced, he is given more important, "central" tasks. In LPP, novices learn through a combination of observation, experimentation, and direct interactions with experts. LPP is a longer process than modeling, but it offers novices the opportunity to learn why experts chose the behaviors that they did and also how to handle exceptional and unusual circumstances.

25.3.2.1 Learning and education in Acumen

Acumen supports modeling; users can view the cookie management activities of other people in order to learn which cookies others are blocking. This information can help them begin to infer why others made the choices that they made. For example, a user may observe that others are more apt to block cookies from third-party web sites (e.g., advertising sites) than they are to block first-party cookies. The user may then choose to follow up on this information and learn more about why other people may have blocked third-party cookies; alternatively, the user may simply choose to block third-party cookies because others have.

Acumen currently provides little support for LPP. However, Acumen does support experimentation by novices; users can choose to toggle between blocking and allowing a web site's cookies to observe how the web page they are viewing changes. Only the user's final cookie setting is recorded; thus, a user's experimentation is private and occurs on the periphery of the group's cookie management processes.

It is difficult for a software system to facilitate LPP because doing so requires significant effort and commitment from both experts and novices. We are, however, experimenting with techniques to mitigate the required efforts of Acumen users. For instance, we are investigating methods to quickly and easily elicit why experts chose to block a cookie and methods to aggregate experts' data so that novices can more easily learn from it.

25.3.3. Decision Making

Maintaining awareness of a privacy risk and learning about that risk lays the foundation for making decisions about, or managing, the risk. Decision making is likely the activity in which users can benefit most by leveraging social processes. The social process that supports decision making is called social navigation .

Social navigation is the process of observing other users' activities, inferring information from these observations, and using this information to make an informed decision.^[17] Social navigation is quite common in everyday life; a very simple instance of social navigation occurs when an individual observes a crowd outside an unfamiliar restaurant. When the individual sees the crowd, she may infer that many people enjoy the food at the restaurant and that the restaurant generally serves good food. Hence, she is more likely to dine at the restaurant than she otherwise would be because the crowd provides information about how much other people like the restaurant. The crowd's behavior, then, is a simple form of data or advice that she can use to make a decision.

^[17] Andreas Dieberger, Paul Dourish, Kristina Hook, Paul Resnick, and Alan Wexelblat, "Social Navigation: Techniques for Building More Usable Systems," Interactions 7:6 (2000), 3645.

Social navigation is an especially promising approach for privacy management. A software system that supports social navigation offers a technological complement to end-user privacy management processes. Users' privacy management settings evolve to reflect changes in how their information is collected or used or changes in norms surrounding the use of their information.^[18] Social navigation systems evolve as well because users' activities shape the system, and thus the system evolves as users' activities change.

^[18] Leysia Palen and Paul Dourish, "Unpacking 'Privacy' for a Networked World," Proceedings of 2003 Conference on Human Factors in Computing Systems (2003), 129136.

Privacy management is frequently a collaborative process; conventions regarding privacy management develop among groups of people, and an individual's management decisions are made in the context of these conventions.^[19] Social navigation systems support a similar process. Conventions are made visible through user data aggregation, and an individual's decisions are made in the context of, and often directly using, this data. Finally, as discussed earlier, privacy management is often a complementary activity that is situated in a principal activity; similarly, social navigation systems are situated in principal activities and support decision making in them.

^[19] Victoria Bellotti, "What You Don't Know Can Hurt You: Privacy in Collaborative Computing," Proceedings of the 1996 HCI Conference on People and Computers (1996), 241261.

Social navigation can take on many forms. One important facet of a social navigation system is the type of data that it collects and uses; this data can be either implicit or explicit. Implicit data is generated by users as a by-product of their activities; explicit data must be intentionally generated by users. A system that collects implicit data can do so at a very low cost to users. However, implicit data requires users to infer why people behaved in a particular way or made a particular decision. A system collecting explicit data imposes a substantial burden on users by requiring them to expend effort to contribute data to the system, but explicit data is potentially more useful than implicit data because it requires users to make fewer inferences and judgments.

25.3.3.1 Decision making and herd behavior

Social navigation is an intuitive and straightforward process, and supporting social navigation in Acumen is simple. In order to minimize the efforts of users, Acumen collects only implicit data from users; future versions of Acumen may collect explicit data using low-cost methods. Acumen's data, when made available to an individual user, provides information about how others are managing their cookies, and this data can be employed by the user as a form of advice when deciding whether to block or allow a web site's cookies.

There is, however, a particular challenge in using social navigation: herd behavior. Some users may choose to blindly follow the decisions of other users rather than make their own decisions; if enough users blindly follow the majority decision, a herd mentality arises and other people's data becomes detrimental because users simply choose the increasingly majority opinion.^[20]

^[20] Abhijit V. Banerjee, "A Simple Model of Herd Behavior," Quarterly Journal of Economics 107:3 (1992), 797818.

Acumen tries to mitigate herd behavior by identifying and using mavens. A maven is a domain expert, someone who has both a deep understanding of a domain and also an intrinsic desire to learn as much as they can about the domain; mavens have been identified in many areas.^[21] Internet privacy mavens almost certainly exist as well; for example, people that read and contribute to the Electronic Privacy Information Center (EPIC) web site (http://www.epic.org) and those that use free cookie management software such as Privoxy are likely to be privacy mavens.

^[21] Gladwell.

Acumen leverages mavens' expertise by anonymously identifying and finally providing the data of mavens as a group separately to the large Acumen community. To identify mavens, Acumen computes a "maven rating" for each user; a user's rating is the sum of the square roots of a user's actions across all the web sites that he visited:

Each time a user explicitly blocks or allows a site's cookies, Acumen increments the user's action count for that site. This function has two interesting features:

Taking the square root of the number of actions decreases the influence that each additional action has on a user's maven rating; for example, the first four actions a user performs on a site will increase his rating by 2.0, but the subsequent four actions that he takes on the site will increase his rating by only 0.82.
Taking the square root of actions performed for each site rather than the square root of actions performed across all sites, the function balances breadth and depth of user actions, although breadth is slightly favored.

The function, then, identifies mavens as users with considerable breadth and depth of cookie management actions. However, later user actions count less than earlier actions; this is advantageous for two reasons:

It is well established that people often learn more in early experiences as compared to later experiences;^[22] the function reflects this feature of learning as inexperienced users' ratings increase more quickly with additional actions than do experienced users' ratings.
^[22] Fridland, Reisberg, and Gleitman.
The function makes it progressively more difficult for users to increase their rating and become mavens artificially.

It is not clear what percentage of users should be labeled as mavens; we are not aware of any estimates about how many mavens are present in a typical domain. Acumen labels the users with ratings in the top 20% as mavens. Labeling a relatively large number of users as mavens increases the likelihood that Acumen's user data for a site will include a maven's data.

It is too early to say how well the function described here identifies mavens and how effective mavens are at mitigating herd behavior; we are actively exploring these questions.