Section 21.1. Introduction


21.1. Introduction

One possible reason why designing privacy-sensitive systems is so difficult is that, by refusing to render its meaning plain and knowable, privacy simply lives up to its name. Instead of exposing an unambiguous public representation for all to see and comprehend, it cloaks itself behind an assortment of meanings, presenting different interpretations to different people. When sociologists look at privacy, they see social nuance that engineers overlook. When cryptologists consider privacy, they see technical mechanisms that everyday people ignore. When the European Union looks at privacy, it sees moral expectations that American policymakers do not. Amid this fog of heterogeneous practices, technologies, and policies that characterize the current state of privacy, designers of interactive systems face increasing market pressure and a persistent moral imperative to design systems that support users' privacy needs: systems that are privacy-sensitive.

NOTE

We will use the term privacy-affecting as a general description for any interactive system whose use has personal privacy implications. We will use the term privacy-sensitive to describe any privacy-affecting system thatby whatever criteria are contextually relevantreasonably avoids invading or disrupting personal privacy. This chapter is intended to help designers to minimize the number of privacy-affecting systems that are not privacy-sensitive.

To meet that imperative, this chapter offers a partial set of guidelines for the design of privacy-sensitive interactive systems, on and off the desktop. We say "partial" because no design advice can ever amount to a self-contained how-to guide, especially when the domain is as sophisticated as privacy. Although systems that follow our guidelines will not necessarily support privacy, systems that ignore any of these guidelines without careful rationale will almost certainly not. For this reason, we present our guidelines as a set of pitfalls to avoid when designing privacy-affecting systems. Avoiding a pitfall does not ensure success, but falling into just one pitfall can lead to disaster.

Despite an abundance of privacy-related research and design knowledge, many systems still make it hard for people to manage their privacy. We suggest that this is largely because the designs of these systems prevent their users from both understanding their privacy implications and conducting socially meaningful action through them. We believe that designs that avoid our pitfalls will go a long way toward helping people achieve the understanding and action that personal privacy regulation requires.

Although some of these pitfalls may appear obvious, we will demonstrate in this chapter that many systems continue to fall into them. Some of the systems that have ignored them (e.g., web browsers) have been repeatedly embroiled in privacy controversies; systems that have avoided the pitfalls (e.g., instant messaging) have enjoyed considerable commercial and social success without negative connotations and regrets.

Our investigation into these pitfalls began when we fell into them ourselves in the design of a user interface prototype for managing personal privacy in ubicomp environments.[2] Despite the input of our formative interviews, surveys, and literature review, an evaluation indicated some fundamental missteps in our design rationale. Further analysis showed that these missteps were not exclusive to our system; we found similar problems in a number of existing commercial and research systems. Without attempting to enumerate every extant privacy design flaw, we would like to offer the design community descriptions of the most common flaws and a warning to heed them.

[2] Scott Lederer, Jennifer Mankoff, Anind K. Dey, and Christopher Beckmann, "Managing Personal Information Disclosure in Ubiquitous Computing Environments," Technical Report CSD-03-1257 (Berkeley, CA: UC Berkeley, 2003).

To help designers remember these pitfalls, we have clustered them into two categories: those that primarily affect users' understanding of a system's privacy implications, and those that primarily affect their ability to conduct socially meaningful action through the system.

21.1.1. Understanding

The following pitfalls primarily affect users' understanding of a system's privacy implications:


Obscuring potential information flow

Designs should not obscure the nature and extent of a system's potential for disclosure. Users can make informed use of a system only when they understand the scope of its privacy implications.


Obscuring actual information flow

Designs should not conceal the actual disclosure of information through a system. Users should understand what information is being disclosed to whom.

21.1.2. Action

The following pitfalls primarily affect users' ability to conduct socially meaningful action through the system:


Emphasizing configuration over action

Designs should not require excessive configuration to manage privacy. They should enable users to practice privacy as a natural consequence of their normal engagement with the system.


Lacking coarse-grained control

Designs should provide an obvious, top-level mechanism for halting and resuming disclosure.


Inhibiting established practice

Designs should not inhibit users from transferring established social practice to new media of disclosure.

The rest of this chapter is organized as follows. First, we discuss the design and evaluation of Faces, our user interface prototype for managing personal privacy in ubicomp settings. The negative results of the evaluation motivated our investigation into the design missteps encoded in our five pitfalls. We then describe the five pitfalls, with illustrative examples from both our own and related work. Finally, we discuss the pitfalls' implications for the design process and we offer negative and positive case studies of systems that, respectively, fall into and avoid them.



Security and Usability. Designing Secure Systems that People Can Use
Security and Usability: Designing Secure Systems That People Can Use
ISBN: 0596008279
EAN: 2147483647
Year: 2004
Pages: 295

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net