Section 24.5. The Scope of Informed Consent: Questions Motivated by Gmail


24.5. The Scope of Informed Consent: Questions Motivated by Gmail

In the first two cases, we provided "proof-of-concept" projects for ways in which the information systems community can design for informed consent . In our third caseGoogle's Gmail web mail (web-based email) systemwe examine the scope of informed consentnamely, are there issues concerning privacy and security that informed consent cannot reasonably address? And, if so, how do these issues affect informed consent?

24.5.1. What Is Gmail?

Gmail (http://www.gmail.com) is Google's web mail system, currently in beta testing. Similar to other free email services, such as those provided by Yahoo! Mail or Hotmail, Gmail provides three key additional features:

  • A larger amount of storage space for one's email than is typically provided (as of December 2004, 1 GB of storage as compared to Yahoo! Mail's 250 MB or Hotmail's 250 MB)

  • The ability to use Google search technology to search one's email messages

  • Grouping an email and the replies to it as a conversation

As with most free web mail services, Gmail subscribers see advertising alongside their email. However, unlike other free web mail providers, Gmail determines which advertisements to display based on the content of the subscriber's email message. For example, if a Gmail subscriber receives an email message from a friend asking to borrow the subscriber's bicycle, the subscriber would likely see advertisements related to online bicycle vendors alongside the email message (see Figure 24-4).

Figure 24-4. Viewing an email message in Gmail; advertisements targeted to the content of the body of the messagein this case, bicyclesappear to the right of the email message, under the label Sponsored Links


24.5.2. How Gmail Advertisements Work

Let's look briefly at both the Gmail business model and its technology:

  • The business model. In a nutshell, Google charges advertisers only when a user clicks on an advertisement. When advertisers submit their advertisements to Google, they negotiate a "rate-per-user-click" and designate keywords they believe to be most relevant to their advertisement.[25]

    [25] Google, Google Adwords (2004) [cited Dec. 2004]; https://adwords.google.com/select/.

  • The technology. The following automated process occurs dynamically each time a Gmail subscriber clicks on an email entry. The Gmail system retrieves the message and scans the text (attachments are not scanned) for keywords (provided earlier by advertisers) in the body of the email message.[26] Based on the results of scanning the message, as well as on how well the advertisement keywords match the email content, the amount advertisers pay per user-click, and the prior click-through rate (i.e., the number of clicks divided by the number of times the advertisement has been displayed), Google computers select and determine the order in which to display advertisements. The selected advertisement is displayed near the subscriber's message; no link is established between the advertisement and the email message. The only information Google relinquishes to its advertisers is the number of times their advertisement was chosen for display and the click-through rate. No personal information about subscribers or the content of email messages is released to advertisers.

    [26] According to Ana R. Yang (product marketing manager, Gmail), personal email (Dec. 4, 2004).

24.5.3. Gmail and the Six Components of Informed Consent

In the context of this business model and technical implementation, how well does Gmail meet the criteria for informed consent? To make this assessment, we analyzed Gmail's Terms of Use,[27] Program Policy,[28] and Privacy Policy[29] in relation to Gmail's functionality as described above. Between these documents, Gmail's registration interface, and the user interface, Google addresses each of the different components of informed consent in a reasonably thorough manner.

[27] Google, Gmail Terms of Use (2004) [cited Dec. 2, 2004]; http://gmail.google.com/gmail/help/terms_of_use.html.

[28] Google, Gmail Program Policies (2004) [cited Dec. 1, 2004]; http://gmail.google.com/gmail/help/program_policies.html.

[29] Google, Gmail Privacy Policy (2004) [cited Nov. 15, 2004]; http://gmail.google.com/gmail/help/privacy.html.

24.5.3.1 Disclosure

As of December 2004, the Gmail privacy policy explicitly states:


What information will be collected about subscribers and their activities

For example, "personal information including your first and last name, a user name...and a password," "log information...browser type you used, your Internet Protocol address, and the date and time of day...the unique ID provided by our cookie and the URL of the last site you visited."


Who will have access to the information

For example, "No human reads your email...without your consent," "Google will never sell, rent or share your personal information...with any third parties for marketing purposes without your express permission."


What the information will be used for

For example, subscribers' accounts will be used "internally to deliver the best possible service to you, such as improving the Gmail user interface, preventing fraud within our advertising system, and better targeting related information."


How the identity of the individual will be protected

For example, employees who have access to user information are monitored and educated to protect the user's privacy.[30]

[30] Ibid.

Overall, Google discloses an impressive amount of the right type of information to enable informed consent. We note one anomaly: Google provides only vague details about how long information is kept.

24.5.3.2 Comprehension

The Privacy Policy uses fairly clear, jargon-free English; this goes a good distance toward helping ensure comprehension. To further support comprehension, Google could provide an opportunity for dialog and clarification about Gmail policies and practices by publishing a way to contact the appropriate Google personnel (e.g., email address, phone number, or online chat).

24.5.3.3 Voluntariness

Gmail subscribers' consent can be considered voluntary for two reasons:

  • Gmail's Terms of Use and Privacy Policy contain reasonably neutral language that does not attempt to coerce or manipulate users to use Gmail.

  • Other free web mail services are available, albeit with substantially less storage space and perhaps not as high-quality search technology, that do not scan users' email for the purpose of displaying content-targeted advertisements.

24.5.3.4 Competence

Competence is difficult to assess in online interactions, and how to do so remains an open problem for the information systems community. Within the bounds of current knowledge and practice, Gmail's Terms of Use addresses the competence of minors by stating: "Due to the Children's Online Privacy Protection Act of 1998 (which is available at http://www.ftc.gov/ogc/coppa1.htm), you must be at least thirteen (13) years of age to use this Service."[31]

[31] Google, Gmail Terms of Use.

24.5.3.5 Agreement

Google requires explicit consent with Gmail's Terms of Use before the user receives a Gmail account. In practice, the user must click a large button at the end of the registration process signaling agreement to the Terms of Use. However, the Terms of Use does not provide information about whether subscribers can withdraw from the agreement and, if so, whether it is possible to delete their Gmail accounts. Indeed, it is possible to do both, but subscribers must be able to navigate through several different layers of menus to do so.

24.5.3.6 Minimal distraction

Setting aside users' tendency not to read agreement policies during online registration processes, we address the criterion of minimal distraction under the confinements of online interactions. Links to Gmail's Terms of Use and Privacy Policy are always at the bottom of a user's email, thus making it easy for the user to see what he has agreed to while not being distracted from the task at hand: reading and sending email.

24.5.4. Two Questions Related to Informed Consent

Despite Google's reasonable handling of informed consent, privacy advocates have made claims that scanning personal email to place content-targeted advertisements is still a privacy invasion. Their claims revolve around two primary questions:[32]

[32] Chris Jay Hoofnagle, Beth Givens, and Pam Dixon, Violation of California Civil Code § 631 by Google Gmail Service, Electronic Privacy Information Center (EPIC, 2004) [cited Nov. 15, 2004]; http://www.epic.org/privacy/gmail/agltr5.3.04.html.

  • Does using machines to read personal email constitute a privacy violation?

  • Should the consent of indirect stakeholders (i.e., email senders) also be obtained?

We turn now to discuss these two questions and their relation to informed consent.

24.5.4.1 The question of machines reading personal content

This question is not so much one of informed consent as it is one of privacy. Namely, what do we mean by privacy and, in turn, who or what can violate a person's privacy? Consider the following two definitions of privacy:

  • Parent's definition. W. A. Parent defines privacy as the "condition of not having undocumented personal information about oneself known by others."[33] This definition requires an "other" who can "know" something. Putting aside artificial intelligence claims for machine agency, this definition implies that the information must be imparted to another human. Google assumes such a definition when making the claim that Gmail's content-targeted advertising does not violate privacy because no human being ever reads subscribers' email.

    [33] W. A. Parent, "Recent Work on the Conception of Privacy," American Philosophical Journal Quarterly 20 (1983), 341.

  • Bloustein's definition. In contrast, consider an alternative definition by Edward Bloustein: privacy preserves one's inviolate personality, independence, and dignity.[34] For Bloustein, a privacy violation concerns the act of intrusion upon the self, independent of the state of mind (or knowledge) of the intruder. Privacy advocates troubled by Google's practices likely share Bloustein's view of privacy when they claim that by extracting meaning from a subscriber's email messagewhether with a machine reader or a human readerGoogle is violating privacy. Moreover, some privacy advocates are more concerned about machine than human readers because of computer efficiency, memory capacity, and power.

    [34] Edward J. Bloustein, "Privacy As an Aspect of Human Dignity," in Ferdinand David Schoeman (ed.), Philosophical Dimensions of Privacy: An Anthology (Cambridge University Press, 1964), 156202.

24.5.4.2 The question of indirect stakeholders

Many privacy advocates also assert that content-targeted advertisements should not be allowed without the consent of all parties involved in an email exchange. While Gmail does obtain the consent of the subscriber, it does not obtain the consent of the email sender. Yet personal content from an email sender is scanned to generate content-targeted advertisements to the email receiver.

Google argues that Gmail's practices are not a violation of the sender's privacy "since no one other than the recipient is allowed to read their email messages, and no one but the recipient sees targeted ads and related information."[35] A further argument against obtaining sender consent could be made by adopting the United States' model of ownership for physical mail. As soon as physical mail is delivered to receivers, it is considered to be the receivers' property; at that point, receivers may do whatever they please with the mail. Thus, the question becomes, "Is the model of ownership for physical mail an adequate or desirable model for ownership of email?"

[35] Google, More on Gmail and Privacy (2005) [cited July 30, 2005]; http://mail.google.com/mail/help/more.html; <https://iexchange.ischool.washington.edu/exchweb/bin/redir.asp?URL=http://mail.google.com/mail/help/more.html>.

24.5.5. Reflections

In this case, we have argued that privacy advocates' claims against Gmail are not claims about informed consent per se, but rather, claims that concern differing views of privacy and ownership. Google has done a reasonable job obtaining informed consent under its notions of privacy and property, but it is possible that these notions are inappropriate for email and need to be reconsidered. Overall, the case of Gmail illustrates that at times, considerations beyond the scope of informed consent (e.g., privacy, ownership) need to be understood in order to ascertain when informed consent is relevant.

24.5.6. Design Principles for Informed Consent for Information Systems

In our view, design refers not only to the design process and resulting technology, but also to policy and business practice. Given this broad context for design, and based on the model of informed consent for information systems and the three cases, we now distill 10 design principles:

  1. Decide what technical capabilities are exempt from informed consent.

    Obtaining users' informed consent comes with a high cost to users. Information must first be disclosed and comprehended by users, who must then have an opportunity to agree or decline. And while all of this is being done, the user has been diverted from the task at handthe thing that the user really wanted to do. Let us refer to these costs for obtaining the user's informed consent as "the nuisance factor." If all interactions with information systems required explicit informed consent, the nuisance factor would be unmanageable. Users would simply crumble under the burden.

    Fortunately, a fair number of interactions with information systems may be considered exempt from the need to obtain users' informed consent. But how are designers to determine which interactions are exempt? While there are no hard and fast rules, the Belmont Report[36] on human subjects research offers some useful guidelines. According to the report, an individual's participation is considered exempt from the need to obtain informed consent when the following three conditions are met:

    [36] The National Commission for the Protection of Human Subjects of Biomedical and Behavioral Research, "The Belmont Report: Ethical Principles and Guidelines for the Protection of Human Subjects of Research" (1978).

    • Participation can in no way put the individual in physical, legal, psychological, or social jeopardy. To this list of harms, for interactions with information systems we also include that participation does not place the individual's privacy, data, or hardware in jeopardy.

    • The purpose and sponsorship of the activity is known (or clearly stated to the individual).

    • No coercion is involved.

    Designers can invoke these three criteria to scrutinize information system-based interactions for exemption from informed consent. Granted, it may be difficult to make these judgments in advance; however, defensible assessments should be made, and if the initial assessments are in error, then remedies should be implemented.

  2. Invoke the sanction of implicit consent with care.

    On the surface, implicit consent seems a reasonable umbrella to cover most online interactions. After all, users do not interact onlineas in the canonical examplewith a gun held to their heads. However, unless users have comparable (with respect to costs such as time, effort, knowledge, and expense) alternative access to comparable services, products, information, and so forth, then information system use may not be regarded as wholly noncoercive. Given the rapidity and widespread movement with which access to goods and services has moved online and the corresponding movement to discontinue or minimize traditional means of access, the viability of alternative comparable access to goods and services is at times slim and getting slimmer. In this climate, we advocate presuming that implicit consent is not a viable option, and only in special circumstances and after careful consideration invoking the sanction of implicit consent.

    Further challenges for implicit consent arise from the criterion of disclosure. The disclosure issue can be understood as follows: although the user may be told what mechanisms are enabled, the user may not be aware of the full implications of those mechanisms. For example, while many users were aware of and enabled cookies, few users understood the implications of cookies for individual privacy (until an extensive public discussion took place).

  3. Understand the scope of informed consent and how informed consent interacts with other values.

    Informed consent concerns the important but limited activities of "informing" those affected by using, or the use of, an information system and obtaining their "consent" for that participation. Thus, informed consent closely interacts, but is not synonymous, with other values such as privacy, trust, and security. Nonetheless, how those other values are defined (e.g., can a machine invade a person's privacy?) has implications for what activities may require consentfor example, obtaining user consent for machine reading of personal content in an email message.

  4. Consider both direct and indirect stakeholders.

    Designers and usability engineers too often focus only on those users who interact directly with the information system without considering the system's impact on others, whom we refer to as indirect stakeholders. At times, it may be important to obtain informed consent from indirect as well as direct stakeholders (see the earlier sidebar, "Value Sensitive Design").

  5. Put users in control of the "nuisance factor."

    Different users place differing degrees of importance on different types of harm. Correspondingly, how much of a nuisance factor a user is willing to tolerate to obtain informed consent will depend on the particular user. Rather than mandating a single mechanism for obtaining informed consent for all users in all situations, designers need to provide users with a range of mechanisms and levels of control so that users are positioned to manage the nuisance factor in accordance with their concerns. Successful designs will likely contain a reasonable balance among overarching controls (e.g., "never accept cookies" or "always accept cookies"), micromanaged controls (e.g., "ask about each cookie"), and intermediate controls that mix well-chosen overarching controls with micromanaged subsets (e.g., "decline all third-party cookies and ask me about all other cookies").

  6. Defaults matter.

    It is well established that most users do not change preference settings. Thus, default settings should err on the side of preserving informed consent. Notably, for many years, the default setting for cookies on current browsers was "accept all cookies," which neither informs nor obtains consent from users. Default settings will also need to take into account the nuisance factor to obtain users' informed consent (see Design Principle 5).

  7. Avoid technical jargon.

    Follow the well-established interface principle to avoid technical jargon in favor of clear language that directly addresses the user's values, needs, and interests.

  8. Inform through the interaction model.

    In addition to using words to explicitly inform users, take advantage of the mental models that users construct through their interaction with a system to reinforce reasonably accurate conceptions of how information is secured and flows through the system. Avoid interaction models that may lead to misleading or ambiguous user conceptions of information flow (e.g., in web browsers, the use of locks that suggest a secure "place" to indicate a secure connection for information while it is in "transit" over the Internet).

  9. Field test to help ensure adequate comprehension and opportunities for agreement.

    Because information systems will likely rely on automated means to realize informed consent, designers face significant challenges in ensuring adequate disclosure, comprehension, and opportunities for agreement. Thoughtful interface design will need to be coupled with equally thoughtful field tests to validate and refine the initial designs. Moreover, because informed consent carries a moral imperative, the components of disclosure, comprehension, and agreement need to work reasonably well for all users. Thus, it becomes a requirement (and not simply better practice) to include a reasonable range of both representative and atypical users in the field tests.

  10. Design proactively for informed consent.

    More frequently than not, information systems are conceived of and implemented without consideration of informed consent. Once introduced, practices evolve around these new interactions, and these, too, develop without consideration of informed consent. When issues of informed consent at last come to the fore, designers face a nearly insurmountable task: to retrofit the information system capability and interaction. The solution, in part, is to design proactively for informed consent.



Security and Usability. Designing Secure Systems that People Can Use
Security and Usability: Designing Secure Systems That People Can Use
ISBN: 0596008279
EAN: 2147483647
Year: 2004
Pages: 295

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net