Section 22.3. Privacy Bird Design | Security and Usability: Designing Secure Systems That People Can Use

22.3. Privacy Bird Design

I began designing a P3P user agent in parallel with the development of the P3P specification. Over a four-year period, during which time many changes were made to the P3P specification, I worked on four prototype P3P user agents.^[16] Experience with these prototypes informed the eventual design of Privacy Bird. The first public Privacy Bird beta was released in February 2002. A second beta was released a year later, following a user study.^[17] In 2004, AT&T made the Privacy Bird source code publicly available. My goals in developing Privacy Bird and the earlier prototypes were to provide feedback into the P3P specification development process based on implementation experience, and to demonstrate the capabilities of P3P. I hope that other P3P user agent developers will be able to learn from Privacy Bird.

^[16] See Chapter 14 of Lorrie Faith Cranor, Web Privacy with P3P (Sebastopol, CA: O'Reilly Media, 2002), 236265.

^[17] Praveen Guduru and Manjula Arjula were the primary developers of the Privacy Bird betas at AT&T Labs.

Privacy Bird is implemented as a browser helper object, which loads whenever IE starts up.^[18] Users download Privacy Bird as a 1.4 MB self-extracting file that includes an installation wizard. A P3P user agent built into a web browser would likely perform better and be able to more easily integrate with cookie managers and other browser functionality.^[19] Much of the Privacy Bird design could be incorporated into a browser implementation.

^[18] D. Esposito, "Browser Helper Objects: The Browser the Way You Want It," MSDN Library (Jan. 1999); http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwebgen/html/bho.asp.

^[19] We faced many of the same challenges as the Bugnosis team did, because of the fact that both projects were implemented as browser helper objects. See Chapter 23, this volume.

Designers of P3P user agents face two major design challenges : designing an interface for capturing user privacy preferences , and designing an interface for communicating with users about web site privacy policies. These challenges and our approaches to addressing them are discussed in the sections that follow.

22.3.1. Capturing User Privacy Preferences

Unless you are a privacy researcher, it is unlikely that you have ever had a discussion with someone about his privacy preferences. If you are interested in building privacy tools, especially tools that help individuals control the collection and use of their personal information, I recommend that you spend some time talking to people about their privacy preferences and the type of control they would like to have.

While working on P3P and Privacy Bird, I spoke with many people about their privacy preferences. In this process, I learned a few important lessons:

Most people have little experience articulating their privacy preferences: Most people have never been asked to do this before.
Privacy preferences are often complex and nuanced: Initially, most people with whom I have discussed privacy preferences tell me that their privacy preferences are pretty simplefor example, "I don't want companies to give my information to anyone else." But as our conversations continue, people usually start to articulate a variety of exceptions to their initial simple rules. "If I order something from them, then they can provide my information to fulfill the order and ship a package to me. And if I tell them about my hobby, then it would be OK if they send me catalogs related to that hobby or let me know about clubs I might be interested in." Some people, eager for a good deal, go further: "I should have the right to control my information, but junk mail doesn't really bother me so much. So if they are willing to give me something for free, I don't mind throwing away their junk mail. But if they are profiting from my information, I should get something too." And when the discussion turns to the sharing of location or presence information with other individuals, privacy preferences tend to get very complex.
Most people are unfamiliar with much of the terminology used by privacy experts: Privacy policies, privacy laws, and privacy principles tend to be full of privacy jargon.
Most people do not understand the privacy-related consequences of their behavior: People tend to assume that if they have nothing to hide, there probably isn't any risk associated with sharing their personal information. Often, they are unaware of the potential for information from multiple sources to be combined, perhaps years after the information was initially collected. It is hard for them to imagine how information might be used against them, both accurately and inaccurately.

For these reasons, it is very difficult for most people to articulate anything close to a set of privacy-related rules that might be applied by an automated agent. It is no wonder that Westin describes privacy control as a process in which individuals are "continually engaged."^[20] To develop software that can serve as the user's proxy in this continuous decision-making process is indeed a challenge.

^[20] Westin.

To make matters worse, privacy policies are also complex and nuanced. Some natural-language privacy policies are almost incomprehensible to anyone without a law degree, and even those who have law degrees may find internal inconsistencies in some policies. P3P improves the situation somewhat by forcing P3P adopters to articulate their privacy policies in multiple-choice format. Most P3P elements have a fixed set of choices, and P3P adopters have to decide which choices apply. However, if we look at the combinations of data category, purpose, recipient, and retention, there are more than 5,000 possibilities. If we also factor in the access element, whether opt-in or opt-out is provided, specific data elements collected, or any of the other elements or subelements available in a P3P policy, the number of combinations explodes. When we include free text fields, the number of combinations is infinite. We could simply ask P3P user agent users to tell us their preferences for each field individually. However, often their preferences are dependent on multiple fields. "I don't mind if they share my preferences about food or sports or things like that, but I don't want them to share information like my address or phone number, especially if it might result in more unsolicited marketing." Clearly there are too many combinations to ask users to articulate a preference about each one.

I attempted to design a Privacy Bird configuration interface that would allow users to specify all of their preferences on a single screen. As shown in Figure 22-7, the Privacy Bird configuration screen allows users to select from 12 conditions under which they might wish to receive privacy warnings. These conditions were selected after reviewing privacy survey results (primarily of American Internet users, as we were designing a user agent with this group in mind) to determine the aspects of privacy policies that would likely be of most interest to users.^[21] The three areas that appeared repeatedly as most important were the type of data collected, how data would be used, and whether data would be shared (represented by the P3P data, purpose, and recipient elements). Among data uses, telemarketing calls and marketing lists seemed to cause the greatest concern. Among data types, financial data and medical data appeared to be most sensitive. In addition, individuals did not like having their data used to build profiles of their interests or activities. We focused our configuration interface on these areas of concern.

^[21] Mark S. Ackerman, Lorrie Faith Cranor, and Joseph Reagle, "Privacy in E-Commerce: Examining User Scenarios and Privacy Preferences," Proceedings of EC '99 (Denver, CO: ACM Press, Nov. 1999), 18.

Focus group participants that discussed our early P3P user agent prototypes expressed two seemingly contradictory preferences: they wanted the interface to be extremely simple, but they also were reluctant to have their choices reduced to several pre-configured settings such as high, medium, and low. In an attempt to satisfy the preferences expressed by the focus group, we included radio buttons that allow a user to select from High, Medium, Low, and Custom settings. When a user selects one of the three prepackaged settings, the boxes next to the corresponding warning conditions are checked automatically. (In Figure 22-7, for example, the Medium setting has been selected and the six boxes corresponding to that setting are checked.) This provides immediate feedback about what each of the settings does. In addition, it makes it easy for users to make modifications to a prepackaged setting.

It is likely that the choice of what aspects of P3P policies should be highlighted in the user interface will need to be revisited over time and as specialized P3P user agents are developed. For example, although detailed location data such as global positioning system (GPS) data is very sensitive, we did not include a setting that dealt with location data in

Figure 22-7. Privacy Bird Privacy Preference configuration

this interface because Privacy Bird is designed for use on personal computers rather than mobile devices, and thus we do not anticipate that Privacy Bird users will be visiting many web sites that track a user's location. However, as users increasingly use wireless networks to access the Internet from laptop computers, applications that track user location may become more common. Certainly, a P3P user agent for wireless handheld devices should highlight a web site's use of GPS data.

Many of the distinctions made in the P3P vocabulary are unlikely to be important to most usersalthough it is quite likely that the distinctions users find most important will change over time and perhaps even vary across regions of the world. We bundled vocabulary elements together that users may think about in similar ways in order to reduce the apparent complexity of the P3P vocabulary. For example, the P3P "recipients" element offers web sites six choices for describing their data-sharing practices. We bundled these choices into two groupssharing and nonsharingand described the sharing practice as sharing data "with other companies (other than those helping the web site provide services to me)." Sites that disclose data only to their agents and to delivery companies are considered to be nonsharing, while those that disclose data to any other recipients are considered to be sharing. Thus, P3P vocabulary distinctions between sites that share data with companies having similar privacy policies, companies having different privacy policies, and companies with unknown privacy policies are hidden in the Privacy Bird preference specification interface.

The fact that the Privacy Bird configuration interface reduces a potentially infinite space of choices to 12 is clearly a limitation. With further testing, we might become more confident that the 12 choices we selected are indeed the best ones, or that a few changes might improve them. We might decide that a few additional choices are needed to better capture the kinds of preferences Privacy Bird users have. But ultimately, as more web sites become P3P enabled, and as P3P user agent functionality becomes better integrated into web browsers and other tools, I suspect that users will find themselves wanting to add dozens of rules to handle special cases not adequately captured by the 12 choices provided. Users may not mind very much if Privacy Bird provides unnecessary warnings, because these warnings can be easily ignored. However, if Privacy Bird were taking automated actions, such as blocking cookies or filling out forms, users would likely be more demanding, and require more nuanced privacy rules.

As I discussed earlier, users are unlikely to have the interest or ability to articulate a complete set of privacy rules. Indeed, a tool that required users to go through a lengthy configuration process would fall directly into one of the pitfalls described by Lederer et al.^[22] Instead, I envision P3P user agents with a configuration interface similar to Privacy Bird's that is used as a starting point. Then, as users visit sites and discover that their agent is giving them advice that doesn't completely match their preferences, they can ask their agent to create new rules on the fly. Ideally their agent will also be able to observe patterns in the user's behavior and suggest new rules that would be appropriate. A good agent would also be able to provide educational information to users that would help them understand the privacy implications of the rules they select. An agent that is able to learn and adapt over time will be especially important if P3P user agents are used in the context of a privacy policy framework that goes beyond web sites, similar to the framework described in the "Introduction" section of this chapter.

^[22] See Chapter 21, this volume.

22.3.2. Communicating with Users About Web Site Privacy Policies

One important function of a P3P user agent is to present users with information about web site privacy policies so that they can make informed decisions about their interactions with those sites. Implementing this function might not be particularly challenging if standard, easy-to-understand privacy notices were in widespread use. Imagine, for example, that we were developing a nutrition user agent in the form of a handheld device that people could take to the grocery store and point at items they were considering purchasing. The agent would display nutrition information, customized for each individual's needs. Because people have already become familiar with legally mandated nutrition labels, it might make sense to use the standard nutrition label format as a starting point. I could then augment this label to take advantage of the fact that it is being displayed on an electronic device rather than a static paper label. For example, I might design a label in which the serving size was adjusted to the amount each individual was likely to actually eat. Individuals who were counting calories, or carbs, or avoiding dairy products, or whatever, could have the display customized to highlight the fields most relevant to their diet. Clicking on a field could bring up additional information such as definitions, health tips, or comparisons with other products.

There has been discussion among privacy advocates, regulators, and industry representatives about the need for a standard privacy notice format, similar to a nutrition label. This is sometimes referred to as a short notice or a layered notice because it is envisioned as a summary of, rather than a replacement for, a full privacy policy. Industry groups tend to advocate formats that offer a lot of flexibility and allow companies to use their own language to fill in a number of prescribed privacy-related fields.^[23] On the other hand, consumer advocates tend to prefer much more restrictive formats with standard language and even checkboxes to indicate which practices apply.^[24] In the meantime, a standard privacy notice format has yet to emerge.

^[23] See, for example, comments submitted by the Center for Information Policy Leadership at Hunton & Williams (CIPL) in response to the request for public comments in the Advance Notice of Proposed Rulemaking on Alternative Forms of Privacy Notices under the Gramm-Leach-Bliley Act (March 29, 2004); http://www.hunton.com/info_policy/pdfs/CIPL_Notices_ANPR_Comments_3.04.pdf.

^[24] See, for example, comments submitted by Privacy Rights Clearinghouse, Consumers Union of U.S., Inc., Consumer Action, Identity Theft Resource Center, World Privacy Forum, and Privacy Activism in response to Federal Agencies' Joint Request for Comment: Alternative Forms of Privacy Notices (March 26, 2004); http://www.privacyrights.org/ar/ftc-noticeANPR.htm#AttachA.

We developed our own privacy notice format for use as the Privacy Bird "Policy Summary," as shown in Figure 22-8. The Policy Summary begins with a Privacy Policy Check, which indicates the cause of the mismatch at sites that do not match a user's privacy preferences. For example, a site's policy might match a user's preferences except for the fact that the site engages in telemarketing. If the site provides a way for users to opt out of receiving telemarketing solicitations, the policy summary includes a hyperlink that takes users to the opt-out instructions. Below the Privacy Policy Check is a summary derived from the site's P3P policy. It includes a bulleted summary of each statement in the policy, as well as information from the P3P access, disputes, and entity elements, including images of any privacy seals referenced. Rather than use the full definitions of each element from the P3P specification, we developed abbreviated descriptions using plain language. We append the words "unless you opt-out" to those purposes for which an opt-out is available, and provide a hyperlink to the site's instructions for opting out. We append the words "only if you request this" to purposes that occur only if a user opts in. Future versions of Privacy Bird will use the standardized plain-language descriptions developed for P3P 1.1.

Figure 22-8. A Privacy Bird beta 1.1 Policy Summary for a site that does not match the user's preferences

As discussed earlier, P3P policies include one or more statements that describe how a set of data may be used by a web site. Many P3P policies include just two or three statementsfor example, a statement describing clickstream data sent automatically by the web browser, and a statement describing information users type into web forms. However, some policies include 6 to 10, or even more statements. At sites with a small number of statements, it is easy for a user to quickly scan each one to look for objectionable data practices. However, at sites that have a large number of statements, such a scan can be laborious. In Privacy Bird beta 1.2, we tried to address this concern by adding the ability to expand and collapse elements of the Policy Summary display. When the Policy Summary opened, users could view a list of statements with short descriptions of each one (generated from the human-readable "consequence" fields in the P3P policy), as shown on the left side of Figure 22-9. Users who want more details about a statement can expand it, as shown on the right side of Figure 22-9.

We found some confusion among users about how to access the expand/collapse feature (as a result of the fact that it was not obvious that the + and - were clickable), but once they figured it out, users seemed to find the feature helpful. Nonetheless, it does not seem to completely address a problem that many users would like to solve: to see at a glance whether and how a web site will share their personal information or contact them for marketing purposes. In the future, I would like to experiment with displaying a summary of this information gathered from across all of the statements in a policy. For example, a

Figure 22-9. The Privacy Bird beta 1.2 expand/collapse interface

summary statement might say, "This site will not share your personal information, except with delivery companies. This site will send you marketing email only if you specifically request it." The italicized phrases could be hyperlinked to the statements where these particular practices are explained.

22.3.3. Privacy Icons

Privacy Bird uses icons to provide immediate feedback about whether a site's policy matches a user's preferences. Thus, if a user sees that a policy matches her preferences, in many cases she would not need to look any further. Developing an appropriate icon set and determining where to locate the icon on the screen was a challenge. Other privacy tools have frequently used symbols involving eyes, window shades, and keyholes. Informal feedback and feedback from our focus groups suggested that while these symbols may convey a sense that the tool has something to do with privacy, individuals typically have little idea about exactly what these symbols mean. Furthermore, when designing Privacy Bird, we wanted to select symbols that would convey the messages "your preferences are matched" and "your preferences are not matched" rather than "your privacy is protected" and "your privacy is not protected." Thus, we focused on finding symbols that would suggest an agent providing advice. In one prototype, we used a thumbs-up and thumbs-down symbol color-coded with traffic light colors. Our usability test results indicated that this symbol effectively conveyed our intended meaning. However, it appeared that users were relying on the colors more than the symbols, and that they were having difficulties distinguishing the symbol shapes when they appeared as small icons on the computer screen. We later learned that the thumbs-up gesture is interpreted as a rude gesture in some cultures.^[25]

^[25] See http://www.msc.navy.mil/msccent/taboos.htm.

When other aspects of our interface design required us to change the shape of the icon from a square to a horizontal rectangle, we revisited the symbol question and came up with the following bird symbols (retaining the traffic light colors), also shown in Figure 22-10.

A happy green bird indicates a site that matches a user's preferences.
The same green bird with an extra red exclamation point indicates a site that matches a user's preferences but contains embedded content that does not match or does not have a P3P policy.
A confused yellow bird indicates a site that does not have a P3P policy.
An angry red bird indicates a site that does not match a user's preferences.
A sleeping gray bird indicates that the tool is turned off.

The bubbles are designed to be distinguishable by colorblind users and users who do not have color displays. Sounds associated with the red, green, and yellow birds serve to reinforce the visual icons (users can choose whether they want to hear these "earcons"). When a user hovers a mouse over the bird icon, a text message explains the meaning of the icon as well.

Figure 22-10. Privacy Bird icons: (a) Site matches user's preferences; (b) site matches user's preferences but contains embedded content that does not match or does not have a P3P policy; (c) site is not P3P enabled; (d) site does not match user's preferences; (e) Privacy Bird is disabled

Our choice of traffic light colors seems to resonate well with users. However, it does send one message that has the potential to be misleading. Web sites that don't have P3P policies are given yellow birds, and sites with policies that don't match a user's preferences are given red birds. This suggests that the sites with policies that are known to conflict with a user's preferences are worse than those with unknown policies. Whether sites that are not P3P enabled should be considered better or worse than those that are P3P enabled but have unacceptable policies is a debatable question. By assigning sites with unknown policies a yellow bird, we convey the message that users should be cautious when visiting these sites, but that they aren't as bad as sites that have red birds. Arguably, to promote P3P adoption, it would be better to assign these sites a symbol that users would interpret as worse than the symbol assigned to sites that do not match their preferences. However, users might find this approach discouraging while the majority of sites they visit are not P3P enabled.

We decided to locate the bird icons in the top-right corner of the browser's title bar for several reasons. First, this enables us to have a separate icon for every browser window a user has open and to have those icons remain visible. Attaching the icon to another part of the browser window (for example, in the button area) would cause it to disappear when browser windows are opened as pop-up windows. Placing the icon on a separate toolbar

WHY A BIRD?

We selected a bird to personify the agent because of some of the images it brings to mind, such as "a little bird told me" and a canary in a coal mine serving as an early warning of hazardous gases. More recently, sentinel chickens have served as an early warning of the West Nile virus, and it has been pointed out to us that in the Biblical story of Noah's Ark, a bird was dispatched to determine whether the flood was over. Because the bird symbol does not suggest anything related to privacy, users do not know what it means out of context, and often must read the Privacy Bird tutorial or spend some time using the software before the meaning of the bird symbols is completely clear. In one of our studies, when we asked subjects to associate a meaning with the Privacy Bird icons before they read the tutorial, several subjects suggested a literal meaning of the iconsfor example, the singing bird might indicate a site that plays music, and the swearing bird might indicate that a site uses foul language. Despite this confusion, subjects did seem to understand intuitively the idea of the bird as a trusted agent. Because Privacy Bird users have to proactively download and install this software, we felt that it was more important that the symbol convey the tool's role as an agent without misleading users into believing that their privacy would be protected for them, rather than conveying that this was a privacy tool. If Privacy Bird were built directly into a browser or other software, it would be more important to communicate to users that this symbol was part of a privacy-related feature.

We have received some suggestions for minor changes to the bird artwork to make the bird symbols more easily recognizable on a computer screen. While we have received occasional feedback that the bird is not a serious enough symbol to be used when discussing important privacy concerns, as well as some concerns about slang uses of the term "bird," most of the feedback we have received about our choice of symbols has been positive. In addition, anecdotal evidence suggests that some users are attracted to Privacy Bird because they want to have a "cute" bird in their browser window, and only after downloading the software do they learn about its privacy-related features.

would result in a single icon that applies only to the browser window currently in focus.^[26] Placing the icon at the bottom of the browser window would result in an icon situated in an area of the screen where most users rarely look.^[27] However, this is where the Internet Explorer 6 privacy icona do-not-enter sign superimposed on an eyeappears to indicate that cookies have been blocked or restricted.

^[26] In our beta 1.2 release, in response to user requests, we did end up introducing an option that allows users to move the bird off the title bar and place it wherever they want on the screen, but this option has the same drawback as the toolbar option.

^[27] J. McCarthy, M. A. Sasse, and J. Riegelsberger, "Could I Have the Menu Please? An Eye Tracking Study of Design Conventions," Proceedings of HCI 2003 (Bath, UK, Sept. 8-12, 2003).

Some of the most passionate feedback we received about Privacy Bird concerned the sounds that users can configure to accompany the appearance of the bird symbols. While many users found the sounds to be a useful reinforcement for the visual symbols, and some found them to be generally enjoyable, some users complained that they found the sounds extremely annoying. One user complained, "Damned crow caw really grates on you after a while," and another wrote, "I was driven almost to a state of collapse; I used to jump when I heard the same bird call in my yard...." In response to user requests, we introduced an option that effectively results in the sounds being played only once a day at each site a user visits.